summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeil Derraugh <neil.derraugh@yoppworks.com>2020-06-08 15:45:58 -0400
committerOfir Sonsino <ofir.sonsino@intl.att.com>2020-06-10 08:23:38 +0000
commitc8a11265085b1342c4efa03a9985d9fd9ca203a3 (patch)
tree69722d1c38d2de8f6b0648e869a5510f82d5fc3c
parent6cfebc0867b2f21a401f55734aba30eb245e3c70 (diff)
Set properties on XML parsers to prevent XXE attack
- Set ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_SCHEMA properties on XML parsers to prevent XXE attacks Issue-ID: SDC-3106 Signed-off-by: Neil Derraugh <neil.derraugh@yoppworks.com> Change-Id: If4e835858dd3d718d37b3ee41fb2fd0c94574c24
-rw-r--r--asdctool/src/main/java/org/openecomp/sdc/asdctool/impl/GraphMLDataAnalyzer.java4
-rw-r--r--catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/ArtifactsBusinessLogic.java6
-rw-r--r--catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java6
3 files changed, 14 insertions, 2 deletions
diff --git a/asdctool/src/main/java/org/openecomp/sdc/asdctool/impl/GraphMLDataAnalyzer.java b/asdctool/src/main/java/org/openecomp/sdc/asdctool/impl/GraphMLDataAnalyzer.java
index 312d862747..d8642ebf54 100644
--- a/asdctool/src/main/java/org/openecomp/sdc/asdctool/impl/GraphMLDataAnalyzer.java
+++ b/asdctool/src/main/java/org/openecomp/sdc/asdctool/impl/GraphMLDataAnalyzer.java
@@ -20,6 +20,7 @@
package org.openecomp.sdc.asdctool.impl;
+import javax.xml.XMLConstants;
import org.apache.poi.hssf.usermodel.HSSFWorkbook;
import org.apache.poi.ss.usermodel.Row;
import org.apache.poi.ss.usermodel.Sheet;
@@ -69,6 +70,9 @@ public class GraphMLDataAnalyzer {
private String analyzeGraphMLData(String mlFileLocation) throws JDOMException, IOException {
// Parse ML file
SAXBuilder builder = new SAXBuilder();
+ builder.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ builder.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+
File xmlFile = new File(mlFileLocation);
Document document = builder.build(xmlFile);
diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/ArtifactsBusinessLogic.java b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/ArtifactsBusinessLogic.java
index a91497356b..eba749fcba 100644
--- a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/ArtifactsBusinessLogic.java
+++ b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/ArtifactsBusinessLogic.java
@@ -52,6 +52,7 @@ import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.xml.XMLConstants;
import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.collections.CollectionUtils;
@@ -2072,7 +2073,10 @@ public class ArtifactsBusinessLogic extends BaseBusinessLogic {
private boolean isValidXml(byte[] xmlToParse) {
boolean isXmlValid = true;
try {
- XMLReader reader = SAXParserFactory.newInstance().newSAXParser().getXMLReader();
+ SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
+ saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+ XMLReader reader = saxParser.getXMLReader();
setFeatures(reader);
reader.parse(new InputSource(new ByteArrayInputStream(xmlToParse)));
}
diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java
index 57afb8743c..df6a552917 100644
--- a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java
+++ b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java
@@ -25,6 +25,7 @@ package org.openecomp.sdc.be.components.impl.artifact;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import fj.data.Either;
+import javax.xml.parsers.SAXParser;
import org.openecomp.sdc.be.config.validation.DeploymentArtifactHeatConfiguration;
import org.openecomp.sdc.be.dao.api.ActionStatus;
import org.openecomp.sdc.common.log.wrappers.Logger;
@@ -83,7 +84,10 @@ public enum PayloadTypeEnum {
@Override
public Either<Boolean, ActionStatus> isValid(byte[] payload) {
try {
- XMLReader reader = SAXParserFactory.newInstance().newSAXParser().getXMLReader();
+ SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
+ saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+ XMLReader reader = saxParser.getXMLReader();
setFeatures(reader);
reader.parse(new InputSource(new ByteArrayInputStream(payload)));
} catch (ParserConfigurationException | IOException | SAXException exception) {