diff options
| author |   waqas.ikram <waqas.ikram@est.tech> | 2021-06-30 14:04:23 +0100 |
|---|---|---|
| committer | waqas.ikram <waqas.ikram@est.tech> | 2021-06-30 14:04:24 +0100 |
| commit | fa22cfa93f7a2533fc2aa8a20e46bfd6a401579f (patch) | |
| tree | 58c598c777a803567a054d902d670c5527f758a0 /adapters/mso-openstack-adapters | |
| parent | 1a031c0f696370d41f3373a39c54aeba7d35d994 (diff) | |
Fixing XML parsers security bug
Change-Id: I1fbf2b2bd42669d9a3c059c32bb39278bd483d60
Issue-ID: SO-3668
Signed-off-by: waqas.ikram <waqas.ikram@est.tech>
Diffstat (limited to 'adapters/mso-openstack-adapters')
2 files changed, 24 insertions, 12 deletions
diff --git a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/RollbackService.java b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/RollbackService.java index 4636a91d5c..b9e86b0169 100644 --- a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/RollbackService.java +++ b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/RollbackService.java @@ -2,13 +2,16 @@ package org.onap.so.adapters.tasks.orchestration; import java.io.ByteArrayInputStream; import java.io.StringReader; +import java.nio.charset.StandardCharsets; import java.util.HashMap; import java.util.Map; import java.util.Optional; +import javax.xml.XMLConstants; import javax.xml.bind.JAXB; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.ws.Holder; +import org.apache.commons.lang3.StringUtils; import org.camunda.bpm.client.task.ExternalTask; import org.camunda.bpm.client.task.ExternalTaskService; import org.onap.so.adapters.network.MsoNetworkAdapterImpl; @@ -24,6 +27,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; +import org.w3c.dom.Document; @Component public class RollbackService extends ExternalTaskUtils { @@ -110,14 +114,16 @@ public class RollbackService extends ExternalTaskUtils { } } - protected Optional<String> findRequestType(String xmlString) { + protected Optional<String> findRequestType(final String xmlString) { try { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - DocumentBuilder builder = factory.newDocumentBuilder(); - org.w3c.dom.Document doc; - doc = builder.parse(new ByteArrayInputStream(xmlString.getBytes("UTF-8"))); + final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, StringUtils.EMPTY); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, StringUtils.EMPTY); + + final DocumentBuilder builder = factory.newDocumentBuilder(); + final Document doc = builder.parse(new ByteArrayInputStream(xmlString.getBytes(StandardCharsets.UTF_8))); return Optional.of(doc.getDocumentElement().getNodeName()); - } catch (Exception e) { + } catch (final Exception e) { logger.error("Error Finding Request Type", e); return Optional.empty(); } diff --git a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/StackService.java b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/StackService.java index 9b2badd1e7..4fc42633fc 100644 --- a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/StackService.java +++ b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/StackService.java @@ -24,14 +24,17 @@ package org.onap.so.adapters.tasks.orchestration; import java.io.ByteArrayInputStream; import java.io.StringReader; +import java.nio.charset.StandardCharsets; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Optional; +import javax.xml.XMLConstants; import javax.xml.bind.JAXB; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.ws.Holder; +import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.mutable.MutableBoolean; import org.camunda.bpm.client.task.ExternalTask; import org.camunda.bpm.client.task.ExternalTaskService; @@ -59,6 +62,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; +import org.w3c.dom.Document; @Component public class StackService extends ExternalTaskUtils { @@ -342,14 +346,16 @@ public class StackService extends ExternalTaskUtils { } - protected Optional<String> findRequestType(String xmlString) { + protected Optional<String> findRequestType(final String xmlString) { try { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - DocumentBuilder builder = factory.newDocumentBuilder(); - org.w3c.dom.Document doc; - doc = builder.parse(new ByteArrayInputStream(xmlString.getBytes("UTF-8"))); + final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, StringUtils.EMPTY); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, StringUtils.EMPTY); + + final DocumentBuilder builder = factory.newDocumentBuilder(); + final Document doc = builder.parse(new ByteArrayInputStream(xmlString.getBytes(StandardCharsets.UTF_8))); return Optional.of(doc.getDocumentElement().getNodeName()); - } catch (Exception e) { + } catch (final Exception e) { logger.error("Error Finding Request Type", e); return Optional.empty(); } |