XEE prevention with all props

- include all properties to prevent XEE for DocumentBuilderFactory

Issue-ID: CPS-1435
Change-Id: I5a740f34072af348fe2df282fba7babeff4299d8
Signed-off-by: mpriyank <priyank.maheshwari@est.tech>

diff --git a/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java b/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java
index 3030d70..10e1f50 100644 (file)
--- a/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java
+++ b/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java
@@ -161,8 +161,15 @@ public class XmlFileUtils {
         }
     }
 
-    private static DocumentBuilderFactory getDocumentBuilderFactory() {
+    private static DocumentBuilderFactory getDocumentBuilderFactory() throws ParserConfigurationException {
         if (isNewDocumentBuilderFactoryInstance) {
+            documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            documentBuilderFactory.setXIncludeAware(false);
+            documentBuilderFactory.setExpandEntityReferences(false);
+            documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             documentBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
             documentBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
             isNewDocumentBuilderFactoryInstance = false;