Code Review / sdc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: e159dee)
Fix Blocker Vulnerability 54/129454/2
authorvasraz <vasyl.razinkov@est.tech>
Wed, 1 Jun 2022 14:32:14 +0000 (15:32 +0100)
committerMichael Morris <michael.morris@est.tech>
Thu, 2 Jun 2022 13:39:16 +0000 (13:39 +0000)
Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech>
Change-Id: I4286eafb4d2a7f20d39fc77182e2dc23e9446aab
Issue-ID: SDC-4029

catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java patch | blob | history

diff --git a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java
index b94b565..b253537 100644 (file)
--- a/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java
+++ b/catalog-be/src/main/java/org/openecomp/sdc/be/components/impl/artifact/PayloadTypeEnum.java
@@ -76,12 +76,19 @@ public enum PayloadTypeEnum {
         }
     }, XML {
         @Override
-        public Either<Boolean, ActionStatus> isValid(byte[] payload) {
+        public Either<Boolean, ActionStatus> isValid(final byte[] payload) {
             try {
-                SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
+                final SAXParserFactory saxParserFactory = SAXParserFactory.newInstance();
+                // to be compliant, completely disable DOCTYPE declaration:
+                saxParserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+                // completely disable external entities declarations:
+                saxParserFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+                saxParserFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+                final SAXParser saxParser = saxParserFactory.newSAXParser();
+                // prohibit the use of all protocols by external entities:
                 saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
                 saxParser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
-                XMLReader reader = saxParser.getXMLReader();
+                final XMLReader reader = saxParser.getXMLReader();
                 setFeatures(reader);
                 reader.parse(new InputSource(new ByteArrayInputStream(payload)));
             } catch (ParserConfigurationException | IOException | SAXException exception) {
SDC Parent Project Catalog FE and BE