diff options
author | mpriyank <priyank.maheshwari@est.tech> | 2023-01-05 12:57:49 +0000 |
---|---|---|
committer | mpriyank <priyank.maheshwari@est.tech> | 2023-01-05 12:57:53 +0000 |
commit | b48469262c83dc1e88b12d162de88a05ce61159c (patch) | |
tree | e3b2b592d7cb7ed91c74fdbdc53fa64df2f2fb80 /cps-service/src | |
parent | 6d3b8b371dde27bd3b295112491f4dff97723698 (diff) |
XEE prevention with all props
- include all properties to prevent XEE for DocumentBuilderFactory
Issue-ID: CPS-1435
Change-Id: I5a740f34072af348fe2df282fba7babeff4299d8
Signed-off-by: mpriyank <priyank.maheshwari@est.tech>
Diffstat (limited to 'cps-service/src')
-rw-r--r-- | cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java b/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java index 3030d702c2..10e1f50b54 100644 --- a/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java +++ b/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java @@ -161,8 +161,15 @@ public class XmlFileUtils { } } - private static DocumentBuilderFactory getDocumentBuilderFactory() { + private static DocumentBuilderFactory getDocumentBuilderFactory() throws ParserConfigurationException { if (isNewDocumentBuilderFactoryInstance) { + documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); + documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + documentBuilderFactory.setXIncludeAware(false); + documentBuilderFactory.setExpandEntityReferences(false); + documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); documentBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); documentBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); isNewDocumentBuilderFactoryInstance = false; |