Set properties on XML parsers to prevent XXE attack

author Neil Derraugh <neil.derraugh@yoppworks.com>

Mon, 8 Jun 2020 19:45:58 +0000 (15:45 -0400)

committer Ofir Sonsino <ofir.sonsino@intl.att.com>

Wed, 10 Jun 2020 08:23:38 +0000 (08:23 +0000)
author Neil Derraugh <neil.derraugh@yoppworks.com>
Mon, 8 Jun 2020 19:45:58 +0000 (15:45 -0400)
committer Ofir Sonsino <ofir.sonsino@intl.att.com>
Wed, 10 Jun 2020 08:23:38 +0000 (08:23 +0000)
diff --git a/asdctool/src/main/java/org/openecomp/sdc/asdctool/impl/GraphMLDataAnalyzer.java b/asdctool/src/main/java/org/openecomp/sdc/asdctool/impl/GraphMLDataAnalyzer.java

index 312d862..d8642eb 100644 (file)
--- a/asdctool/src/main/java/org/openecomp/sdc/asdctool/impl/GraphMLDataAnalyzer.java
+++ b/asdctool/src/main/java/org/openecomp/sdc/asdctool/impl/GraphMLDataAnalyzer.java
@@ -20,6 +20,7 @@
  
  package org.openecomp.sdc.asdctool.impl;
  
+import javax.xml.XMLConstants;
  import org.apache.poi.hssf.usermodel.HSSFWorkbook;
  import org.apache.poi.ss.usermodel.Row;
  import org.apache.poi.ss.usermodel.Sheet;
@@ -69,6 +70,9 @@ public class GraphMLDataAnalyzer {
      private String analyzeGraphMLData(String mlFileLocation) throws JDOMException, IOException {
          // Parse ML file
          SAXBuilder builder = new SAXBuilder();
+        builder.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        builder.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+
          File xmlFile = new File(mlFileLocation);
          Document document = builder.build(xmlFile);
  
diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/ArtifactsBusinessLogic.java b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/ArtifactsBusinessLogic.java

index a914973..eba749f 100644 (file)
--- a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/ArtifactsBusinessLogic.java
+++ b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/ArtifactsBusinessLogic.java
@@ -52,6 +52,7 @@ import java.util.stream.Collectors;
  import javax.servlet.http.HttpServletRequest;
  import javax.xml.XMLConstants;
  import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParser;
  import javax.xml.parsers.SAXParserFactory;
  import org.apache.commons.codec.binary.Base64;
  import org.apache.commons.collections.CollectionUtils;
@@ -2072,7 +2073,10 @@ public class ArtifactsBusinessLogic extends BaseBusinessLogic {
      private boolean isValidXml(byte[] xmlToParse) {
          boolean isXmlValid = true;
          try {
-            XMLReader reader = SAXParserFactory.newInstance().newSAXParser().getXMLReader();
+            SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
+            saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+            XMLReader reader = saxParser.getXMLReader();
              setFeatures(reader);
              reader.parse(new InputSource(new ByteArrayInputStream(xmlToParse)));
          }
diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java

index 57afb87..df6a552 100644 (file)
--- a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java
+++ b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java
@@ -25,6 +25,7 @@ package org.openecomp.sdc.be.components.impl.artifact;
  import com.google.gson.Gson;
  import com.google.gson.GsonBuilder;
  import fj.data.Either;
+import javax.xml.parsers.SAXParser;
  import org.openecomp.sdc.be.config.validation.DeploymentArtifactHeatConfiguration;
  import org.openecomp.sdc.be.dao.api.ActionStatus;
  import org.openecomp.sdc.common.log.wrappers.Logger;
@@ -83,7 +84,10 @@ public enum PayloadTypeEnum {
          @Override
          public Either<Boolean, ActionStatus> isValid(byte[] payload) {
              try {
-                XMLReader reader = SAXParserFactory.newInstance().newSAXParser().getXMLReader();
+                SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
+                saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+                XMLReader reader = saxParser.getXMLReader();
                  setFeatures(reader);
                  reader.parse(new InputSource(new ByteArrayInputStream(payload)));
              } catch (ParserConfigurationException | IOException | SAXException exception) {
author	Neil Derraugh <neil.derraugh@yoppworks.com>
	Mon, 8 Jun 2020 19:45:58 +0000 (15:45 -0400)
committer	Ofir Sonsino <ofir.sonsino@intl.att.com>
	Wed, 10 Jun 2020 08:23:38 +0000 (08:23 +0000)
asdctool/src/main/java/org/openecomp/sdc/asdctool/impl/GraphMLDataAnalyzer.java		patch \| blob \| history
catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/ArtifactsBusinessLogic.java		patch \| blob \| history
catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java		patch \| blob \| history