From e2e644755baa33030a4aba228fb6be319cdbc81c Mon Sep 17 00:00:00 2001
From: vasraz <vasyl.razinkov@est.tech>
Date: Wed, 1 Jun 2022 15:32:14 +0100
Subject: Fix Blocker Vulnerability

Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech>
Change-Id: I4286eafb4d2a7f20d39fc77182e2dc23e9446aab
Issue-ID: SDC-4029
---
 .../sdc/be/components/impl/artifact/PayloadTypeEnum.java    | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

(limited to 'catalog-be')

diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java
index b94b565d79..b253537177 100644
--- a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java
+++ b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java
@@ -76,12 +76,19 @@ public enum PayloadTypeEnum {
         }
     }, XML {
         @Override
-        public Either<Boolean, ActionStatus> isValid(byte[] payload) {
+        public Either<Boolean, ActionStatus> isValid(final byte[] payload) {
             try {
-                SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
+                final SAXParserFactory saxParserFactory = SAXParserFactory.newInstance();
+                // to be compliant, completely disable DOCTYPE declaration:
+                saxParserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+                // completely disable external entities declarations:
+                saxParserFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+                saxParserFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+                final SAXParser saxParser = saxParserFactory.newSAXParser();
+                // prohibit the use of all protocols by external entities:
                 saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
                 saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
-                XMLReader reader = saxParser.getXMLReader();
+                final XMLReader reader = saxParser.getXMLReader();
                 setFeatures(reader);
                 reader.parse(new InputSource(new ByteArrayInputStream(payload)));
             } catch (ParserConfigurationException | IOException | SAXException exception) {
-- 
cgit 1.2.3-korg