summaryrefslogtreecommitdiffstats
path: root/examples/examples-onap-bbs/src/main
diff options
context:
space:
mode:
Diffstat (limited to 'examples/examples-onap-bbs/src/main')
-rw-r--r--examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java8
1 files changed, 6 insertions, 2 deletions
diff --git a/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java b/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java
index edaff6b52..884708d03 100644
--- a/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java
+++ b/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java
@@ -34,7 +34,6 @@ import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
-import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Transformer;
@@ -64,6 +63,10 @@ public class WebClient {
// Duplicated string constants
private static final String BBS_POLICY = "BBS Policy";
+ //Features to prevent XXE injection
+ private static final String XML_DISALLOW_DOCTYPE_FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
+ private static final String XML_EXTERNAL_ENTITY_FEATURE = "http://xml.org/sax/features/external-general-entities";
+
/**
* Send simple https rest request.
*
@@ -140,7 +143,8 @@ public class WebClient {
try (ByteArrayInputStream br = new ByteArrayInputStream(xml.getBytes(StandardCharsets.UTF_8))) {
DocumentBuilderFactory df = DocumentBuilderFactory.newInstance();
- df.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ df.setFeature(XML_DISALLOW_DOCTYPE_FEATURE, true);
+ df.setFeature(XML_EXTERNAL_ENTITY_FEATURE, false);
Document document = df.newDocumentBuilder().parse(new InputSource(br));
document.normalize();