aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormpriyank <priyank.maheshwari@est.tech>2023-01-03 14:17:36 +0000
committermpriyank <priyank.maheshwari@est.tech>2023-01-04 13:28:20 +0000
commitd4fd02f79d1fa110d2008dbadcb7d1f065f0ff86 (patch)
treeeffb0a325e11fc0397a7b778bf8ded8d619ff46e
parent90a28b672b94d0b3effb1b800bca1621d1529c6d (diff)
XXE prevention
- xml external entity prevention in the XmlFileUtils - setting the features only once for the document builder factory Issue-ID: CPS-1435 Change-Id: I06f9ac4bcdb0a90262f237489c6c50d8fde33c0d Signed-off-by: mpriyank <priyank.maheshwari@est.tech>
-rw-r--r--cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java19
1 files changed, 15 insertions, 4 deletions
diff --git a/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java b/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java
index be592f0b03..bbff5efa20 100644
--- a/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java
+++ b/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java
@@ -49,7 +49,8 @@ import org.xml.sax.SAXException;
@NoArgsConstructor(access = AccessLevel.PRIVATE)
public class XmlFileUtils {
- private static DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
+ private static final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+ private static boolean isNewDocumentBuilderFactoryInstance = true;
private static final Pattern XPATH_PROPERTY_REGEX =
Pattern.compile("\\[@(\\S{1,100})=['\\\"](\\S{1,100})['\\\"]\\]");
@@ -98,7 +99,7 @@ public class XmlFileUtils {
final String namespace,
final Map<String, String> rootNodeProperty)
throws IOException, SAXException, ParserConfigurationException, TransformerException {
- final DocumentBuilder documentBuilder = dbFactory.newDocumentBuilder();
+ final DocumentBuilder documentBuilder = getDocumentBuilderFactory().newDocumentBuilder();
final StringBuilder xmlStringBuilder = new StringBuilder();
xmlStringBuilder.append(xmlContent);
final Document document = documentBuilder.parse(
@@ -145,8 +146,8 @@ public class XmlFileUtils {
final String namespace,
final Map<String, String> rootNodeProperty) {
try {
- final DocumentBuilder docBuilder = dbFactory.newDocumentBuilder();
- final Document document = docBuilder.newDocument();
+ final DocumentBuilder documentBuilder = getDocumentBuilderFactory().newDocumentBuilder();
+ final Document document = documentBuilder.newDocument();
final Element rootElement = document.createElementNS(namespace, tagName);
for (final Map.Entry<String, String> entry : rootNodeProperty.entrySet()) {
final Element propertyElement = document.createElement(entry.getKey());
@@ -160,4 +161,14 @@ public class XmlFileUtils {
throw new DataValidationException("Can't parse XML", "XML can't be parsed", exception);
}
}
+
+ private static DocumentBuilderFactory getDocumentBuilderFactory() throws ParserConfigurationException {
+ if (isNewDocumentBuilderFactoryInstance) {
+ documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ isNewDocumentBuilderFactoryInstance = false;
+ }
+
+ return documentBuilderFactory;
+ }
}