diff options
author | waqas.ikram <waqas.ikram@est.tech> | 2021-06-29 11:02:30 +0100 |
---|---|---|
committer | waqas.ikram <waqas.ikram@est.tech> | 2021-06-29 11:07:24 +0100 |
commit | d71ffa01c4ca340494717ec43dbc17b43ca8706a (patch) | |
tree | 602f5f9feec9fc20fab361f1c2c36505c3cb4352 /adapters/mso-openstack-adapters/src/main | |
parent | d18c3bbbdb56f2f55926e01101a570f39dbaff6a (diff) |
Fixing XML parsers security bug
Change-Id: I6c25dd87f393bbeca016a651d68afa11e60f3d94
Issue-ID: SO-3662
Signed-off-by: waqas.ikram <waqas.ikram@est.tech>
Diffstat (limited to 'adapters/mso-openstack-adapters/src/main')
-rw-r--r-- | adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java index 31da330c7f..44d394730f 100644 --- a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java +++ b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java @@ -24,9 +24,11 @@ package org.onap.so.adapters.tasks.orchestration; import java.io.ByteArrayInputStream; import java.io.StringReader; +import java.nio.charset.StandardCharsets; import java.util.HashMap; import java.util.Map; import java.util.Optional; +import javax.xml.XMLConstants; import javax.xml.bind.JAXB; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; @@ -66,6 +68,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; +import org.w3c.dom.Document; import com.woorea.openstack.heat.model.Stack; @Component @@ -73,6 +76,8 @@ public class PollService extends ExternalTaskUtils { private static final Logger logger = LoggerFactory.getLogger(PollService.class); + private static final String EMPTY_STRING = ""; + @Autowired private MsoVnfAdapterImpl vnfAdapterImpl; @@ -318,14 +323,16 @@ public class PollService extends ExternalTaskUtils { success.setTrue(); } - protected Optional<String> findRequestType(String xmlString) { + protected Optional<String> findRequestType(final String xmlString) { try { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - DocumentBuilder builder = factory.newDocumentBuilder(); - org.w3c.dom.Document doc; - doc = builder.parse(new ByteArrayInputStream(xmlString.getBytes("UTF-8"))); + final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, EMPTY_STRING); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, EMPTY_STRING); + + final DocumentBuilder builder = factory.newDocumentBuilder(); + final Document doc = builder.parse(new ByteArrayInputStream(xmlString.getBytes(StandardCharsets.UTF_8))); return Optional.of(doc.getDocumentElement().getNodeName()); - } catch (Exception e) { + } catch (final Exception e) { logger.error("Error Finding Request Type", e); return Optional.empty(); } |