diff options
author | mpriyank <priyank.maheshwari@est.tech> | 2023-01-03 14:17:36 +0000 |
---|---|---|
committer | mpriyank <priyank.maheshwari@est.tech> | 2023-01-04 13:28:20 +0000 |
commit | d4fd02f79d1fa110d2008dbadcb7d1f065f0ff86 (patch) | |
tree | effb0a325e11fc0397a7b778bf8ded8d619ff46e | |
parent | 90a28b672b94d0b3effb1b800bca1621d1529c6d (diff) |
XXE prevention
- xml external entity prevention in the XmlFileUtils
- setting the features only once for the document builder factory
Issue-ID: CPS-1435
Change-Id: I06f9ac4bcdb0a90262f237489c6c50d8fde33c0d
Signed-off-by: mpriyank <priyank.maheshwari@est.tech>
-rw-r--r-- | cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java b/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java index be592f0b03..bbff5efa20 100644 --- a/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java +++ b/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java @@ -49,7 +49,8 @@ import org.xml.sax.SAXException; @NoArgsConstructor(access = AccessLevel.PRIVATE) public class XmlFileUtils { - private static DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance(); + private static final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); + private static boolean isNewDocumentBuilderFactoryInstance = true; private static final Pattern XPATH_PROPERTY_REGEX = Pattern.compile("\\[@(\\S{1,100})=['\\\"](\\S{1,100})['\\\"]\\]"); @@ -98,7 +99,7 @@ public class XmlFileUtils { final String namespace, final Map<String, String> rootNodeProperty) throws IOException, SAXException, ParserConfigurationException, TransformerException { - final DocumentBuilder documentBuilder = dbFactory.newDocumentBuilder(); + final DocumentBuilder documentBuilder = getDocumentBuilderFactory().newDocumentBuilder(); final StringBuilder xmlStringBuilder = new StringBuilder(); xmlStringBuilder.append(xmlContent); final Document document = documentBuilder.parse( @@ -145,8 +146,8 @@ public class XmlFileUtils { final String namespace, final Map<String, String> rootNodeProperty) { try { - final DocumentBuilder docBuilder = dbFactory.newDocumentBuilder(); - final Document document = docBuilder.newDocument(); + final DocumentBuilder documentBuilder = getDocumentBuilderFactory().newDocumentBuilder(); + final Document document = documentBuilder.newDocument(); final Element rootElement = document.createElementNS(namespace, tagName); for (final Map.Entry<String, String> entry : rootNodeProperty.entrySet()) { final Element propertyElement = document.createElement(entry.getKey()); @@ -160,4 +161,14 @@ public class XmlFileUtils { throw new DataValidationException("Can't parse XML", "XML can't be parsed", exception); } } + + private static DocumentBuilderFactory getDocumentBuilderFactory() throws ParserConfigurationException { + if (isNewDocumentBuilderFactoryInstance) { + documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + isNewDocumentBuilderFactoryInstance = false; + } + + return documentBuilderFactory; + } } |