From 28be67398b155b67bc5e7cf54bba81a6d09d0eb0 Mon Sep 17 00:00:00 2001
From: Abhishek Bajaj <abhishek.kumar.bajaj@huawei.com>
Date: Fri, 19 Mar 2021 18:17:17 +0530
Subject: Disable access to external entities in XML parsing Issue-ID:
 DCAEGEN2-2675 Signed-off-by: Abhishek Bajaj <abhishek.kumar.bajaj@huawei.com>

Change-Id: I8738480af9078e8db4b7217f0a837f60084d93fa
Signed-off-by: Abhishek Bajaj <abhishek.kumar.bajaj@huawei.com>
---
 Changelog.md                                      | 4 ++++
 pom.xml                                           | 2 +-
 src/main/java/org/onap/dcae/common/XmlParser.java | 5 ++++-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index b2adf82..b6fa3f3 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [1.2.5] - 19/03/2021
+### Fixed
+- [DCAEGEN2-2675](https://jira.onap.org/browse/DCAEGEN2-2675) - Disable access to external entities in XML parsing
+
 ## [1.2.5] - 12/03/2021
 ### Fixed
 - [DCAEGEN2-2518](https://jira.onap.org/browse/DCAEGEN2-2518) - Fix the security blocker in restconf collector
diff --git a/pom.xml b/pom.xml
index 753e5b2..2eb0b30 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@ limitations under the License.
     </parent>
     <groupId>org.onap.dcaegen2.collectors.restconf</groupId>
     <artifactId>restconfcollector</artifactId>
-    <version>1.2.4-SNAPSHOT</version>
+    <version>1.2.5-SNAPSHOT</version>
     <name>dcaegen2-collectors-restconf</name>
     <description>RestConfCollector</description>
     <properties>
diff --git a/src/main/java/org/onap/dcae/common/XmlParser.java b/src/main/java/org/onap/dcae/common/XmlParser.java
index a9902d2..665297d 100755
--- a/src/main/java/org/onap/dcae/common/XmlParser.java
+++ b/src/main/java/org/onap/dcae/common/XmlParser.java
@@ -2,7 +2,7 @@
  * ============LICENSE_START=======================================================
  * org.onap.dcaegen2.collectors.restconf
  * ================================================================================
- * Copyright (C) 2018-2019 Huawei. All rights reserved.
+ * Copyright (C) 2018-2021 Huawei. All rights reserved.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,6 +26,7 @@ import org.xml.sax.Attributes;
 import org.xml.sax.SAXException;
 import org.xml.sax.helpers.DefaultHandler;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
@@ -56,6 +57,8 @@ public class XmlParser {
         try {
             SAXParserFactory factory = SAXParserFactory.newInstance();
             SAXParser saxParser = factory.newSAXParser();
+			saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
             InputStream in = new ByteArrayInputStream(s.getBytes());
             saxParser.parse(in, handler);
         } catch (ParserConfigurationException | IOException | SAXException | NumberFormatException e) {
-- 
cgit 1.2.3-korg