Fix XML external entity vulnerability

Disabled XML external entity references to resolve XML external entity
vulnerability. Also removed commented-out lines of code from previous
attempt to resolve XML external entity vulnerability.

Issue-ID: CCSDK-3321
Signed-off-by: Jonathan Platt <jonathan.platt@att.com>
Change-Id: Icb142cd1ace84c40d342ce0f08f418f43cc080e8

diff --git a/sdnr/wt/common/src/main/java/org/onap/ccsdk/features/sdnr/wt/common/file/PomFile.java b/sdnr/wt/common/src/main/java/org/onap/ccsdk/features/sdnr/wt/common/file/PomFile.java
index 2e07012..c19cea0 100644 (file)
--- a/sdnr/wt/common/src/main/java/org/onap/ccsdk/features/sdnr/wt/common/file/PomFile.java
+++ b/sdnr/wt/common/src/main/java/org/onap/ccsdk/features/sdnr/wt/common/file/PomFile.java
@@ -41,10 +41,8 @@ public class PomFile {
 
     public PomFile(InputStream is) throws ParserConfigurationException, SAXException, IOException {
         DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
-        //             documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-        //             documentBuilderFactory.setFeature(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
-        //             documentBuilderFactory.setFeature(XMLInputFactory.SUPPORT_DTD, false);
-
+        // Remediate XML external entity vulnerabilty - prohibit the use of all protocols by external entities:
+        documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
         this.xmlDoc = documentBuilder.parse(is);
     }