aboutsummaryrefslogtreecommitdiffstats
path: root/examples/examples-onap-bbs/src/main/java/org
diff options
context:
space:
mode:
authoraditya.puthuparambil <aditya.puthuparambil@est.tech>2020-04-14 13:16:07 +0100
committeraditya.puthuparambil <aditya.puthuparambil@est.tech>2020-04-14 13:16:07 +0100
commit3c40c871d6f0679e60f4d5c825d272af8bbe3148 (patch)
treeac3df4624f9ddd2bf08ef1ce783e49c1eb4c9af8 /examples/examples-onap-bbs/src/main/java/org
parent2a3fd3ee6c37314da69f4121019c8d713ace79ae (diff)
SONAR issue fix
Issue-ID: POLICY-1913 Signed-off-by: aditya.puthuparambil <aditya.puthuparambil@est.tech> Change-Id: Ie6dccc50ad63c5fdca1e79d7985aec2455041b56
Diffstat (limited to 'examples/examples-onap-bbs/src/main/java/org')
-rw-r--r--examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java8
1 files changed, 6 insertions, 2 deletions
diff --git a/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java b/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java
index edaff6b52..884708d03 100644
--- a/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java
+++ b/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java
@@ -34,7 +34,6 @@ import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
-import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Transformer;
@@ -64,6 +63,10 @@ public class WebClient {
// Duplicated string constants
private static final String BBS_POLICY = "BBS Policy";
+ //Features to prevent XXE injection
+ private static final String XML_DISALLOW_DOCTYPE_FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
+ private static final String XML_EXTERNAL_ENTITY_FEATURE = "http://xml.org/sax/features/external-general-entities";
+
/**
* Send simple https rest request.
*
@@ -140,7 +143,8 @@ public class WebClient {
try (ByteArrayInputStream br = new ByteArrayInputStream(xml.getBytes(StandardCharsets.UTF_8))) {
DocumentBuilderFactory df = DocumentBuilderFactory.newInstance();
- df.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ df.setFeature(XML_DISALLOW_DOCTYPE_FEATURE, true);
+ df.setFeature(XML_EXTERNAL_ENTITY_FEATURE, false);
Document document = df.newDocumentBuilder().parse(new InputSource(br));
document.normalize();