summaryrefslogtreecommitdiffstats
path: root/bpmn/MSOCoreBPMN/src
diff options
context:
space:
mode:
authorwaqas.ikram <waqas.ikram@est.tech>2021-06-30 14:04:23 +0100
committerwaqas.ikram <waqas.ikram@est.tech>2021-06-30 14:04:24 +0100
commitfa22cfa93f7a2533fc2aa8a20e46bfd6a401579f (patch)
tree58c598c777a803567a054d902d670c5527f758a0 /bpmn/MSOCoreBPMN/src
parent1a031c0f696370d41f3373a39c54aeba7d35d994 (diff)
Fixing XML parsers security bug
Change-Id: I1fbf2b2bd42669d9a3c059c32bb39278bd483d60 Issue-ID: SO-3668 Signed-off-by: waqas.ikram <waqas.ikram@est.tech>
Diffstat (limited to 'bpmn/MSOCoreBPMN/src')
-rw-r--r--bpmn/MSOCoreBPMN/src/main/java/org/onap/so/bpmn/core/xml/XmlTool.java21
1 files changed, 12 insertions, 9 deletions
diff --git a/bpmn/MSOCoreBPMN/src/main/java/org/onap/so/bpmn/core/xml/XmlTool.java b/bpmn/MSOCoreBPMN/src/main/java/org/onap/so/bpmn/core/xml/XmlTool.java
index 58238c8ff6..79a4c54e23 100644
--- a/bpmn/MSOCoreBPMN/src/main/java/org/onap/so/bpmn/core/xml/XmlTool.java
+++ b/bpmn/MSOCoreBPMN/src/main/java/org/onap/so/bpmn/core/xml/XmlTool.java
@@ -224,7 +224,7 @@ public final class XmlTool {
* @return the contents of the modified XML document as a String or null/empty if the modification failed.
* @throws IOException, TransformerException, ParserConfigurationException, SAXException
*/
- public static Optional<String> modifyElement(String xml, String elementTag, String newValue)
+ public static Optional<String> modifyElement(final String xml, final String elementTag, final String newValue)
throws IOException, TransformerException, ParserConfigurationException, SAXException {
if (xml == null || xml.isEmpty()) {
@@ -232,15 +232,15 @@ public final class XmlTool {
return Optional.empty();
}
- DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
+ final DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
dbFactory.setNamespaceAware(true);
dbFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
- DocumentBuilder db = dbFactory.newDocumentBuilder();
- InputSource source = new InputSource(new StringReader(xml));
- Document doc = db.parse(source);
+ final DocumentBuilder db = dbFactory.newDocumentBuilder();
+ final InputSource source = new InputSource(new StringReader(xml));
+ final Document doc = db.parse(source);
- Node modNode = doc.getElementsByTagName(elementTag).item(0);
+ final Node modNode = doc.getElementsByTagName(elementTag).item(0);
if (modNode == null) {
// did not find the specified element to be modified, return empty
// System.out.println("Did not find element tag " + elementTag + " in XML");
@@ -249,9 +249,12 @@ public final class XmlTool {
modNode.setTextContent(newValue);
}
- TransformerFactory transformerFactory = TransformerFactory.newInstance();
- Transformer transformer = transformerFactory.newTransformer();
- StringWriter writer = new StringWriter();
+ final TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, StringUtils.EMPTY);
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, StringUtils.EMPTY);
+
+ final Transformer transformer = transformerFactory.newTransformer();
+ final StringWriter writer = new StringWriter();
transformer.transform(new DOMSource(doc), new StreamResult(writer));
// return the modified String representation of the XML
return Optional.of(writer.toString().trim());