aboutsummaryrefslogtreecommitdiffstats
path: root/catalog-be/src/main/java
diff options
context:
space:
mode:
authorvasraz <vasyl.razinkov@est.tech>2022-06-01 15:32:14 +0100
committerMichael Morris <michael.morris@est.tech>2022-06-02 13:39:16 +0000
commite2e644755baa33030a4aba228fb6be319cdbc81c (patch)
tree4510d9f90b6efaaae3d0e87c6f467e6ffc5915ec /catalog-be/src/main/java
parente159dee791441b68d142323f7d951b0592841c7f (diff)
Fix Blocker Vulnerability
Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech> Change-Id: I4286eafb4d2a7f20d39fc77182e2dc23e9446aab Issue-ID: SDC-4029
Diffstat (limited to 'catalog-be/src/main/java')
-rw-r--r--catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java13
1 files changed, 10 insertions, 3 deletions
diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java
index b94b565d79..b253537177 100644
--- a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java
+++ b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java
@@ -76,12 +76,19 @@ public enum PayloadTypeEnum {
}
}, XML {
@Override
- public Either<Boolean, ActionStatus> isValid(byte[] payload) {
+ public Either<Boolean, ActionStatus> isValid(final byte[] payload) {
try {
- SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
+ final SAXParserFactory saxParserFactory = SAXParserFactory.newInstance();
+ // to be compliant, completely disable DOCTYPE declaration:
+ saxParserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ // completely disable external entities declarations:
+ saxParserFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ saxParserFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ final SAXParser saxParser = saxParserFactory.newSAXParser();
+ // prohibit the use of all protocols by external entities:
saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
- XMLReader reader = saxParser.getXMLReader();
+ final XMLReader reader = saxParser.getXMLReader();
setFeatures(reader);
reader.parse(new InputSource(new ByteArrayInputStream(payload)));
} catch (ParserConfigurationException | IOException | SAXException exception) {