From 601eb7fa55e373563ba396f491cec88732cd6e4e Mon Sep 17 00:00:00 2001
From: "aditya.puthuparambil" <aditya.puthuparambil@est.tech>
Date: Tue, 10 Mar 2020 14:12:55 +0000
Subject: Sonar Security vulnerabilities fix

Issue-ID: POLICY-1913
Signed-off-by: aditya.puthuparambil <aditya.puthuparambil@est.tech>
Change-Id: Ic86e04776c9300e37134210cd9db5b6d7e6a5a9e
---
 .../apex/core/infrastructure/xml/XPathReader.java    | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

(limited to 'core/core-infrastructure/src')

diff --git a/core/core-infrastructure/src/main/java/org/onap/policy/apex/core/infrastructure/xml/XPathReader.java b/core/core-infrastructure/src/main/java/org/onap/policy/apex/core/infrastructure/xml/XPathReader.java
index 08046c924..a9c57f385 100644
--- a/core/core-infrastructure/src/main/java/org/onap/policy/apex/core/infrastructure/xml/XPathReader.java
+++ b/core/core-infrastructure/src/main/java/org/onap/policy/apex/core/infrastructure/xml/XPathReader.java
@@ -1,6 +1,7 @@
 /*-
  * ============LICENSE_START=======================================================
  *  Copyright (C) 2016-2018 Ericsson. All rights reserved.
+ *  Modifications Copyright (C) 2020 Nordix Foundation.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,6 +23,7 @@ package org.onap.policy.apex.core.infrastructure.xml;
 
 import java.io.InputStream;
 
+import javax.xml.XMLConstants;
 import javax.xml.namespace.QName;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.xpath.XPath;
@@ -39,6 +41,7 @@ import org.w3c.dom.Document;
  * @author Sajeevan Achuthan (sajeevan.achuthan@ericsson.com)
  */
 public class XPathReader {
+
     // Logger for this class
     private static final XLogger LOGGER = XLoggerFactory.getXLogger(XPathReader.class);
 
@@ -73,18 +76,17 @@ public class XPathReader {
     private void init() {
         try {
             LOGGER.info("Initializing XPath reader");
+            DocumentBuilderFactory df = DocumentBuilderFactory.newInstance();
+            df.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 
             // Check if this is operating on a file
             if (xmlFileName != null) {
-                xmlDocument = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(xmlFileName);
-            }
-            // Check if this is operating on a stream
-            else if (xmlStream != null) {
-                xmlDocument = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(xmlStream);
-
-            }
-            // We have an error
-            else {
+                xmlDocument = df.newDocumentBuilder().parse(xmlFileName);
+            } else if (xmlStream != null) {
+                // Check if this is operating on a stream
+                xmlDocument = df.newDocumentBuilder().parse(xmlStream);
+            } else {
+                // We have an error
                 LOGGER.error("XPath reader not initialized with either a file or a stream");
                 return;
             }
-- 
cgit 1.2.3-korg