aboutsummaryrefslogtreecommitdiffstats
path: root/bpmn/so-bpmn-tasks/src
diff options
context:
space:
mode:
authorwaqas.ikram <waqas.ikram@est.tech>2021-06-29 13:33:51 +0100
committerwaqas.ikram <waqas.ikram@est.tech>2021-06-29 16:26:53 +0100
commit6d6fde75df5837c67a0e098eda59a60bc6923041 (patch)
treefa29a2f5b71f434790319b02c91e40b905a7b460 /bpmn/so-bpmn-tasks/src
parentd71ffa01c4ca340494717ec43dbc17b43ca8706a (diff)
Fixing XML parsers security bug
Change-Id: I8a4f156196af47272a2732b1fbddafb6f0eb1f4d Issue-ID: SO-3668 Signed-off-by: waqas.ikram <waqas.ikram@est.tech>
Diffstat (limited to 'bpmn/so-bpmn-tasks/src')
-rw-r--r--bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java9
1 files changed, 7 insertions, 2 deletions
diff --git a/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java b/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java
index 5b40768573..7ed8447fa6 100644
--- a/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java
+++ b/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java
@@ -22,6 +22,7 @@ package org.onap.so.bpmn.infrastructure.sdnc.tasks;
import java.io.StringReader;
import java.io.StringWriter;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.Transformer;
@@ -30,6 +31,7 @@ import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathFactory;
+import org.apache.commons.lang3.StringUtils;
import org.camunda.bpm.engine.delegate.DelegateExecution;
import org.onap.logging.filter.base.ONAPComponents;
import org.onap.so.bpmn.infrastructure.sdnc.exceptions.SDNCErrorResponseException;
@@ -151,8 +153,11 @@ public class SDNCRequestTasks {
}
protected String getXmlElement(final Document doc, final String exp) throws Exception {
- final TransformerFactory tf = TransformerFactory.newInstance();
- final Transformer transformer = tf.newTransformer();
+ final TransformerFactory factory = TransformerFactory.newInstance();
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, StringUtils.EMPTY);
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, StringUtils.EMPTY);
+
+ final Transformer transformer = factory.newTransformer();
final StringWriter writer = new StringWriter();
transformer.transform(new DOMSource(doc), new StreamResult(writer));
logger.debug(writer.getBuffer().toString());