From 377a02ce32ede76c52f6de709707cfd17daece6f Mon Sep 17 00:00:00 2001 From: mpriyank Date: Fri, 6 Jan 2023 10:12:59 +0000 Subject: Local DocBuilderFactory fix XEE - local DocumentBuilderFactory fix for prevention of XML External Entity Issue-ID: CPS-1435 Change-Id: Ib88268edc5975bf0fe4e3e56bc704f266280af4b Signed-off-by: mpriyank --- .../src/main/java/org/onap/cps/utils/XmlFileUtils.java | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) (limited to 'cps-service') diff --git a/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java b/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java index 096487f45f..a0d770191e 100644 --- a/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java +++ b/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java @@ -49,9 +49,8 @@ import org.xml.sax.SAXException; @NoArgsConstructor(access = AccessLevel.PRIVATE) public class XmlFileUtils { - private static final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); - private static boolean isNewDocumentBuilderFactoryInstance = true; private static final TransformerFactory transformerFactory = TransformerFactory.newInstance(); + private static boolean isNewTransformerFactoryInstance = true; private static final Pattern XPATH_PROPERTY_REGEX = Pattern.compile("\\[@(\\S{1,100})=['\\\"](\\S{1,100})['\\\"]\\]"); @@ -162,16 +161,21 @@ public class XmlFileUtils { private static DocumentBuilderFactory getDocumentBuilderFactory() { - if (isNewDocumentBuilderFactoryInstance) { - documentBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); - documentBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); - isNewDocumentBuilderFactoryInstance = false; - } + final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); + documentBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + documentBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); return documentBuilderFactory; } private static TransformerFactory getTransformerFactory() { + + if (isNewTransformerFactoryInstance) { + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + isNewTransformerFactoryInstance = false; + } + return transformerFactory; } } -- cgit 1.2.3-korg