aboutsummaryrefslogtreecommitdiffstats
path: root/adapters
diff options
context:
space:
mode:
authorwaqas.ikram <waqas.ikram@est.tech>2021-06-30 14:04:23 +0100
committerwaqas.ikram <waqas.ikram@est.tech>2021-06-30 14:04:24 +0100
commitfa22cfa93f7a2533fc2aa8a20e46bfd6a401579f (patch)
tree58c598c777a803567a054d902d670c5527f758a0 /adapters
parent1a031c0f696370d41f3373a39c54aeba7d35d994 (diff)
Fixing XML parsers security bug
Change-Id: I1fbf2b2bd42669d9a3c059c32bb39278bd483d60 Issue-ID: SO-3668 Signed-off-by: waqas.ikram <waqas.ikram@est.tech>
Diffstat (limited to 'adapters')
-rw-r--r--adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/RollbackService.java18
-rw-r--r--adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/StackService.java18
2 files changed, 24 insertions, 12 deletions
diff --git a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/RollbackService.java b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/RollbackService.java
index 4636a91d5c..b9e86b0169 100644
--- a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/RollbackService.java
+++ b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/RollbackService.java
@@ -2,13 +2,16 @@ package org.onap.so.adapters.tasks.orchestration;
import java.io.ByteArrayInputStream;
import java.io.StringReader;
+import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
+import javax.xml.XMLConstants;
import javax.xml.bind.JAXB;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.ws.Holder;
+import org.apache.commons.lang3.StringUtils;
import org.camunda.bpm.client.task.ExternalTask;
import org.camunda.bpm.client.task.ExternalTaskService;
import org.onap.so.adapters.network.MsoNetworkAdapterImpl;
@@ -24,6 +27,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
+import org.w3c.dom.Document;
@Component
public class RollbackService extends ExternalTaskUtils {
@@ -110,14 +114,16 @@ public class RollbackService extends ExternalTaskUtils {
}
}
- protected Optional<String> findRequestType(String xmlString) {
+ protected Optional<String> findRequestType(final String xmlString) {
try {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
- DocumentBuilder builder = factory.newDocumentBuilder();
- org.w3c.dom.Document doc;
- doc = builder.parse(new ByteArrayInputStream(xmlString.getBytes("UTF-8")));
+ final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, StringUtils.EMPTY);
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, StringUtils.EMPTY);
+
+ final DocumentBuilder builder = factory.newDocumentBuilder();
+ final Document doc = builder.parse(new ByteArrayInputStream(xmlString.getBytes(StandardCharsets.UTF_8)));
return Optional.of(doc.getDocumentElement().getNodeName());
- } catch (Exception e) {
+ } catch (final Exception e) {
logger.error("Error Finding Request Type", e);
return Optional.empty();
}
diff --git a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/StackService.java b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/StackService.java
index 9b2badd1e7..4fc42633fc 100644
--- a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/StackService.java
+++ b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/StackService.java
@@ -24,14 +24,17 @@ package org.onap.so.adapters.tasks.orchestration;
import java.io.ByteArrayInputStream;
import java.io.StringReader;
+import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
+import javax.xml.XMLConstants;
import javax.xml.bind.JAXB;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.ws.Holder;
+import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.mutable.MutableBoolean;
import org.camunda.bpm.client.task.ExternalTask;
import org.camunda.bpm.client.task.ExternalTaskService;
@@ -59,6 +62,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
+import org.w3c.dom.Document;
@Component
public class StackService extends ExternalTaskUtils {
@@ -342,14 +346,16 @@ public class StackService extends ExternalTaskUtils {
}
- protected Optional<String> findRequestType(String xmlString) {
+ protected Optional<String> findRequestType(final String xmlString) {
try {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
- DocumentBuilder builder = factory.newDocumentBuilder();
- org.w3c.dom.Document doc;
- doc = builder.parse(new ByteArrayInputStream(xmlString.getBytes("UTF-8")));
+ final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, StringUtils.EMPTY);
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, StringUtils.EMPTY);
+
+ final DocumentBuilder builder = factory.newDocumentBuilder();
+ final Document doc = builder.parse(new ByteArrayInputStream(xmlString.getBytes(StandardCharsets.UTF_8)));
return Optional.of(doc.getDocumentElement().getNodeName());
- } catch (Exception e) {
+ } catch (final Exception e) {
logger.error("Error Finding Request Type", e);
return Optional.empty();
}