diff options
Diffstat (limited to 'examples/examples-onap-bbs/src')
2 files changed, 13 insertions, 8 deletions
diff --git a/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java b/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java index edaff6b52..884708d03 100644 --- a/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java +++ b/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java @@ -34,7 +34,6 @@ import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSession; import javax.net.ssl.TrustManager; -import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; import javax.xml.transform.Transformer; @@ -64,6 +63,10 @@ public class WebClient { // Duplicated string constants private static final String BBS_POLICY = "BBS Policy"; + //Features to prevent XXE injection + private static final String XML_DISALLOW_DOCTYPE_FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; + private static final String XML_EXTERNAL_ENTITY_FEATURE = "http://xml.org/sax/features/external-general-entities"; + /** * Send simple https rest request. * @@ -140,7 +143,8 @@ public class WebClient { try (ByteArrayInputStream br = new ByteArrayInputStream(xml.getBytes(StandardCharsets.UTF_8))) { DocumentBuilderFactory df = DocumentBuilderFactory.newInstance(); - df.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + df.setFeature(XML_DISALLOW_DOCTYPE_FEATURE, true); + df.setFeature(XML_EXTERNAL_ENTITY_FEATURE, false); Document document = df.newDocumentBuilder().parse(new InputSource(br)); document.normalize(); diff --git a/examples/examples-onap-bbs/src/test/java/org/onap/policy/apex/examples/bbs/WebClientTest.java b/examples/examples-onap-bbs/src/test/java/org/onap/policy/apex/examples/bbs/WebClientTest.java index 3cb588dc7..ba1481c0b 100644 --- a/examples/examples-onap-bbs/src/test/java/org/onap/policy/apex/examples/bbs/WebClientTest.java +++ b/examples/examples-onap-bbs/src/test/java/org/onap/policy/apex/examples/bbs/WebClientTest.java @@ -36,6 +36,7 @@ import org.junit.Test; import org.mockito.Mockito; public class WebClientTest { + HttpsURLConnection mockedHttpsUrlConnection; String sampleString = "Response Code :200"; @@ -55,24 +56,24 @@ public class WebClientTest { @Test public void testHttpsRequest() { WebClient cl = new WebClient(); - String result = - cl.httpRequest("https://some.random.url/data", "POST", null, "admin", "admin", "application/json"); + String result = cl + .httpRequest("https://some.random.url/data", "POST", null, "admin", "admin", "application/json"); assertNotNull(result); } @Test public void testHttpRequest() { WebClient cl = new WebClient(); - String result = - cl.httpRequest("http://some.random.url/data", "GET", null, "admin", "admin", "application/json"); + String result = cl + .httpRequest("http://some.random.url/data", "GET", null, "admin", "admin", "application/json"); assertNotNull(result); } @Test public void testToPrettyString() { String xmlSample = "<input xmlns=\"org:onap:sdnc:northbound:generic-resource\">" - + "<sdnc-request-header> <svc-action>update</svc-action> </sdnc-request-header></input>"; + + "<sdnc-request-header> <svc-action>update</svc-action> </sdnc-request-header></input>"; WebClient cl = new WebClient(); - cl.toPrettyString(xmlSample, 4); + assertNotNull(cl.toPrettyString(xmlSample, 4)); } } |