summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwaqas.ikram <waqas.ikram@est.tech>2021-06-29 13:33:51 +0100
committerwaqas.ikram <waqas.ikram@est.tech>2021-06-29 16:26:53 +0100
commit6d6fde75df5837c67a0e098eda59a60bc6923041 (patch)
treefa29a2f5b71f434790319b02c91e40b905a7b460
parentd71ffa01c4ca340494717ec43dbc17b43ca8706a (diff)
Fixing XML parsers security bug
Change-Id: I8a4f156196af47272a2732b1fbddafb6f0eb1f4d Issue-ID: SO-3668 Signed-off-by: waqas.ikram <waqas.ikram@est.tech>
-rw-r--r--adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java7
-rw-r--r--bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java9
2 files changed, 10 insertions, 6 deletions
diff --git a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java
index 44d394730f..dfb3075d00 100644
--- a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java
+++ b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java
@@ -32,6 +32,7 @@ import javax.xml.XMLConstants;
import javax.xml.bind.JAXB;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
+import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.mutable.MutableBoolean;
import org.camunda.bpm.client.task.ExternalTask;
import org.camunda.bpm.client.task.ExternalTaskService;
@@ -76,8 +77,6 @@ public class PollService extends ExternalTaskUtils {
private static final Logger logger = LoggerFactory.getLogger(PollService.class);
- private static final String EMPTY_STRING = "";
-
@Autowired
private MsoVnfAdapterImpl vnfAdapterImpl;
@@ -326,8 +325,8 @@ public class PollService extends ExternalTaskUtils {
protected Optional<String> findRequestType(final String xmlString) {
try {
final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
- factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, EMPTY_STRING);
- factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, EMPTY_STRING);
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, StringUtils.EMPTY);
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, StringUtils.EMPTY);
final DocumentBuilder builder = factory.newDocumentBuilder();
final Document doc = builder.parse(new ByteArrayInputStream(xmlString.getBytes(StandardCharsets.UTF_8)));
diff --git a/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java b/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java
index 5b40768573..7ed8447fa6 100644
--- a/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java
+++ b/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java
@@ -22,6 +22,7 @@ package org.onap.so.bpmn.infrastructure.sdnc.tasks;
import java.io.StringReader;
import java.io.StringWriter;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.Transformer;
@@ -30,6 +31,7 @@ import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathFactory;
+import org.apache.commons.lang3.StringUtils;
import org.camunda.bpm.engine.delegate.DelegateExecution;
import org.onap.logging.filter.base.ONAPComponents;
import org.onap.so.bpmn.infrastructure.sdnc.exceptions.SDNCErrorResponseException;
@@ -151,8 +153,11 @@ public class SDNCRequestTasks {
}
protected String getXmlElement(final Document doc, final String exp) throws Exception {
- final TransformerFactory tf = TransformerFactory.newInstance();
- final Transformer transformer = tf.newTransformer();
+ final TransformerFactory factory = TransformerFactory.newInstance();
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, StringUtils.EMPTY);
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, StringUtils.EMPTY);
+
+ final Transformer transformer = factory.newTransformer();
final StringWriter writer = new StringWriter();
transformer.transform(new DOMSource(doc), new StreamResult(writer));
logger.debug(writer.getBuffer().toString());