diff options
author | waqas.ikram <waqas.ikram@est.tech> | 2021-06-29 13:33:51 +0100 |
---|---|---|
committer | waqas.ikram <waqas.ikram@est.tech> | 2021-06-29 16:26:53 +0100 |
commit | 6d6fde75df5837c67a0e098eda59a60bc6923041 (patch) | |
tree | fa29a2f5b71f434790319b02c91e40b905a7b460 /bpmn | |
parent | d71ffa01c4ca340494717ec43dbc17b43ca8706a (diff) |
Fixing XML parsers security bug
Change-Id: I8a4f156196af47272a2732b1fbddafb6f0eb1f4d
Issue-ID: SO-3668
Signed-off-by: waqas.ikram <waqas.ikram@est.tech>
Diffstat (limited to 'bpmn')
-rw-r--r-- | bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java b/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java index 5b40768573..7ed8447fa6 100644 --- a/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java +++ b/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java @@ -22,6 +22,7 @@ package org.onap.so.bpmn.infrastructure.sdnc.tasks; import java.io.StringReader; import java.io.StringWriter; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.Transformer; @@ -30,6 +31,7 @@ import javax.xml.transform.dom.DOMSource; import javax.xml.transform.stream.StreamResult; import javax.xml.xpath.XPath; import javax.xml.xpath.XPathFactory; +import org.apache.commons.lang3.StringUtils; import org.camunda.bpm.engine.delegate.DelegateExecution; import org.onap.logging.filter.base.ONAPComponents; import org.onap.so.bpmn.infrastructure.sdnc.exceptions.SDNCErrorResponseException; @@ -151,8 +153,11 @@ public class SDNCRequestTasks { } protected String getXmlElement(final Document doc, final String exp) throws Exception { - final TransformerFactory tf = TransformerFactory.newInstance(); - final Transformer transformer = tf.newTransformer(); + final TransformerFactory factory = TransformerFactory.newInstance(); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, StringUtils.EMPTY); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, StringUtils.EMPTY); + + final Transformer transformer = factory.newTransformer(); final StringWriter writer = new StringWriter(); transformer.transform(new DOMSource(doc), new StreamResult(writer)); logger.debug(writer.getBuffer().toString()); |