From c8a11265085b1342c4efa03a9985d9fd9ca203a3 Mon Sep 17 00:00:00 2001 From: Neil Derraugh Date: Mon, 8 Jun 2020 15:45:58 -0400 Subject: Set properties on XML parsers to prevent XXE attack - Set ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_SCHEMA properties on XML parsers to prevent XXE attacks Issue-ID: SDC-3106 Signed-off-by: Neil Derraugh Change-Id: If4e835858dd3d718d37b3ee41fb2fd0c94574c24 --- .../openecomp/sdc/be/components/impl/ArtifactsBusinessLogic.java | 6 +++++- .../openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) (limited to 'catalog-be/src/main/java/org/openecomp') diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/ArtifactsBusinessLogic.java b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/ArtifactsBusinessLogic.java index a91497356b..eba749fcba 100644 --- a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/ArtifactsBusinessLogic.java +++ b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/ArtifactsBusinessLogic.java @@ -52,6 +52,7 @@ import java.util.stream.Collectors; import javax.servlet.http.HttpServletRequest; import javax.xml.XMLConstants; import javax.xml.parsers.ParserConfigurationException; +import javax.xml.parsers.SAXParser; import javax.xml.parsers.SAXParserFactory; import org.apache.commons.codec.binary.Base64; import org.apache.commons.collections.CollectionUtils; @@ -2072,7 +2073,10 @@ public class ArtifactsBusinessLogic extends BaseBusinessLogic { private boolean isValidXml(byte[] xmlToParse) { boolean isXmlValid = true; try { - XMLReader reader = SAXParserFactory.newInstance().newSAXParser().getXMLReader(); + SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser(); + saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); + XMLReader reader = saxParser.getXMLReader(); setFeatures(reader); reader.parse(new InputSource(new ByteArrayInputStream(xmlToParse))); } diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java index 57afb8743c..df6a552917 100644 --- a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java +++ b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java @@ -25,6 +25,7 @@ package org.openecomp.sdc.be.components.impl.artifact; import com.google.gson.Gson; import com.google.gson.GsonBuilder; import fj.data.Either; +import javax.xml.parsers.SAXParser; import org.openecomp.sdc.be.config.validation.DeploymentArtifactHeatConfiguration; import org.openecomp.sdc.be.dao.api.ActionStatus; import org.openecomp.sdc.common.log.wrappers.Logger; @@ -83,7 +84,10 @@ public enum PayloadTypeEnum { @Override public Either isValid(byte[] payload) { try { - XMLReader reader = SAXParserFactory.newInstance().newSAXParser().getXMLReader(); + SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser(); + saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); + XMLReader reader = saxParser.getXMLReader(); setFeatures(reader); reader.parse(new InputSource(new ByteArrayInputStream(payload))); } catch (ParserConfigurationException | IOException | SAXException exception) { -- cgit 1.2.3-korg