From b48469262c83dc1e88b12d162de88a05ce61159c Mon Sep 17 00:00:00 2001 From: mpriyank Date: Thu, 5 Jan 2023 12:57:49 +0000 Subject: XEE prevention with all props - include all properties to prevent XEE for DocumentBuilderFactory Issue-ID: CPS-1435 Change-Id: I5a740f34072af348fe2df282fba7babeff4299d8 Signed-off-by: mpriyank --- cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'cps-service') diff --git a/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java b/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java index 3030d702c2..10e1f50b54 100644 --- a/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java +++ b/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java @@ -161,8 +161,15 @@ public class XmlFileUtils { } } - private static DocumentBuilderFactory getDocumentBuilderFactory() { + private static DocumentBuilderFactory getDocumentBuilderFactory() throws ParserConfigurationException { if (isNewDocumentBuilderFactoryInstance) { + documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); + documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + documentBuilderFactory.setXIncludeAware(false); + documentBuilderFactory.setExpandEntityReferences(false); + documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); documentBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); documentBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); isNewDocumentBuilderFactoryInstance = false; -- cgit 1.2.3-korg