From d71ffa01c4ca340494717ec43dbc17b43ca8706a Mon Sep 17 00:00:00 2001 From: "waqas.ikram" Date: Tue, 29 Jun 2021 11:02:30 +0100 Subject: Fixing XML parsers security bug Change-Id: I6c25dd87f393bbeca016a651d68afa11e60f3d94 Issue-ID: SO-3662 Signed-off-by: waqas.ikram --- .../so/adapters/tasks/orchestration/PollService.java | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java index 31da330c7f..44d394730f 100644 --- a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java +++ b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java @@ -24,9 +24,11 @@ package org.onap.so.adapters.tasks.orchestration; import java.io.ByteArrayInputStream; import java.io.StringReader; +import java.nio.charset.StandardCharsets; import java.util.HashMap; import java.util.Map; import java.util.Optional; +import javax.xml.XMLConstants; import javax.xml.bind.JAXB; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; @@ -66,6 +68,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; +import org.w3c.dom.Document; import com.woorea.openstack.heat.model.Stack; @Component @@ -73,6 +76,8 @@ public class PollService extends ExternalTaskUtils { private static final Logger logger = LoggerFactory.getLogger(PollService.class); + private static final String EMPTY_STRING = ""; + @Autowired private MsoVnfAdapterImpl vnfAdapterImpl; @@ -318,14 +323,16 @@ public class PollService extends ExternalTaskUtils { success.setTrue(); } - protected Optional findRequestType(String xmlString) { + protected Optional findRequestType(final String xmlString) { try { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - DocumentBuilder builder = factory.newDocumentBuilder(); - org.w3c.dom.Document doc; - doc = builder.parse(new ByteArrayInputStream(xmlString.getBytes("UTF-8"))); + final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, EMPTY_STRING); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, EMPTY_STRING); + + final DocumentBuilder builder = factory.newDocumentBuilder(); + final Document doc = builder.parse(new ByteArrayInputStream(xmlString.getBytes(StandardCharsets.UTF_8))); return Optional.of(doc.getDocumentElement().getNodeName()); - } catch (Exception e) { + } catch (final Exception e) { logger.error("Error Finding Request Type", e); return Optional.empty(); } -- cgit 1.2.3-korg