diff options
author | Neil Derraugh <neil.derraugh@yoppworks.com> | 2020-06-08 15:45:58 -0400 |
---|---|---|
committer | Ofir Sonsino <ofir.sonsino@intl.att.com> | 2020-06-10 08:23:38 +0000 |
commit | c8a11265085b1342c4efa03a9985d9fd9ca203a3 (patch) | |
tree | 69722d1c38d2de8f6b0648e869a5510f82d5fc3c | |
parent | 6cfebc0867b2f21a401f55734aba30eb245e3c70 (diff) |
Set properties on XML parsers to prevent XXE attack
- Set ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_SCHEMA properties on XML
parsers to prevent XXE attacks
Issue-ID: SDC-3106
Signed-off-by: Neil Derraugh <neil.derraugh@yoppworks.com>
Change-Id: If4e835858dd3d718d37b3ee41fb2fd0c94574c24
3 files changed, 14 insertions, 2 deletions
diff --git a/asdctool/src/main/java/org/openecomp/sdc/asdctool/impl/GraphMLDataAnalyzer.java b/asdctool/src/main/java/org/openecomp/sdc/asdctool/impl/GraphMLDataAnalyzer.java index 312d862747..d8642ebf54 100644 --- a/asdctool/src/main/java/org/openecomp/sdc/asdctool/impl/GraphMLDataAnalyzer.java +++ b/asdctool/src/main/java/org/openecomp/sdc/asdctool/impl/GraphMLDataAnalyzer.java @@ -20,6 +20,7 @@ package org.openecomp.sdc.asdctool.impl; +import javax.xml.XMLConstants; import org.apache.poi.hssf.usermodel.HSSFWorkbook; import org.apache.poi.ss.usermodel.Row; import org.apache.poi.ss.usermodel.Sheet; @@ -69,6 +70,9 @@ public class GraphMLDataAnalyzer { private String analyzeGraphMLData(String mlFileLocation) throws JDOMException, IOException { // Parse ML file SAXBuilder builder = new SAXBuilder(); + builder.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + builder.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); + File xmlFile = new File(mlFileLocation); Document document = builder.build(xmlFile); diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/ArtifactsBusinessLogic.java b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/ArtifactsBusinessLogic.java index a91497356b..eba749fcba 100644 --- a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/ArtifactsBusinessLogic.java +++ b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/ArtifactsBusinessLogic.java @@ -52,6 +52,7 @@ import java.util.stream.Collectors; import javax.servlet.http.HttpServletRequest; import javax.xml.XMLConstants; import javax.xml.parsers.ParserConfigurationException; +import javax.xml.parsers.SAXParser; import javax.xml.parsers.SAXParserFactory; import org.apache.commons.codec.binary.Base64; import org.apache.commons.collections.CollectionUtils; @@ -2072,7 +2073,10 @@ public class ArtifactsBusinessLogic extends BaseBusinessLogic { private boolean isValidXml(byte[] xmlToParse) { boolean isXmlValid = true; try { - XMLReader reader = SAXParserFactory.newInstance().newSAXParser().getXMLReader(); + SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser(); + saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); + XMLReader reader = saxParser.getXMLReader(); setFeatures(reader); reader.parse(new InputSource(new ByteArrayInputStream(xmlToParse))); } diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java index 57afb8743c..df6a552917 100644 --- a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java +++ b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java @@ -25,6 +25,7 @@ package org.openecomp.sdc.be.components.impl.artifact; import com.google.gson.Gson; import com.google.gson.GsonBuilder; import fj.data.Either; +import javax.xml.parsers.SAXParser; import org.openecomp.sdc.be.config.validation.DeploymentArtifactHeatConfiguration; import org.openecomp.sdc.be.dao.api.ActionStatus; import org.openecomp.sdc.common.log.wrappers.Logger; @@ -83,7 +84,10 @@ public enum PayloadTypeEnum { @Override public Either<Boolean, ActionStatus> isValid(byte[] payload) { try { - XMLReader reader = SAXParserFactory.newInstance().newSAXParser().getXMLReader(); + SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser(); + saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); + XMLReader reader = saxParser.getXMLReader(); setFeatures(reader); reader.parse(new InputSource(new ByteArrayInputStream(payload))); } catch (ParserConfigurationException | IOException | SAXException exception) { |