From ebb7a2f593357acf321c690542e6e7a08a2d6226 Mon Sep 17 00:00:00 2001 From: "Gamboa, Gilbert" Date: Mon, 21 Oct 2019 15:26:51 -0400 Subject: Fortify scan reports vulnerability on Fortify scan reports vulnerability on SDCRequestTasks.java. Recommends to set following features on XML factory factory.setFeature("http://xml.org/sax/features/external-general-entitie s", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entit ies", false); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl ", true); Issue-ID: SO-2465 Signed-off-by: Benjamin, Max (mb388a) Change-Id: I33d9b16e8836af102523d7d6bc3fc7c2a09d5b64 --- .../org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java | 3 +++ 1 file changed, 3 insertions(+) (limited to 'bpmn/so-bpmn-tasks/src') diff --git a/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java b/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java index 3383fde0a8..e55fa9e24b 100644 --- a/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java +++ b/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java @@ -102,6 +102,9 @@ public class SDNCRequestTasks { String asyncRequest = (String) execution.getVariable(request.getCorrelationName() + MESSAGE); DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); + dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder db = dbf.newDocumentBuilder(); Document doc = db.parse(new InputSource(new StringReader(asyncRequest))); -- cgit 1.2.3-korg