Fix XML injection issue

author Mei Su <ms6523@att.com>

Wed, 11 Jul 2018 15:55:24 +0000 (11:55 -0400)

committer Takamune Cho <tc012c@att.com>

Wed, 11 Jul 2018 23:52:23 +0000 (23:52 +0000)
author Mei Su <ms6523@att.com>
Wed, 11 Jul 2018 15:55:24 +0000 (11:55 -0400)
committer Takamune Cho <tc012c@att.com>
Wed, 11 Jul 2018 23:52:23 +0000 (23:52 +0000)
diff --git a/appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validator/ValidatorService.java b/appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validator/ValidatorService.java

index eaf5478..9f1715e 100644 (file)
--- a/appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validator/ValidatorService.java
+++ b/appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validator/ValidatorService.java
@@ -35,6 +35,7 @@ import java.io.Reader;
  import javax.xml.parsers.DocumentBuilder;
  import javax.xml.parsers.DocumentBuilderFactory;
  import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.XMLConstants;
  import org.apache.velocity.app.Velocity;
  import org.apache.velocity.app.VelocityEngine;
  import org.apache.velocity.exception.MethodInvocationException;
@@ -134,6 +135,10 @@ public class ValidatorService {
  
          try {
              DocumentBuilderFactory dBF = DocumentBuilderFactory.newInstance();
+            dBF.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            dBF.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            dBF.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+
              DocumentBuilder builder = dBF.newDocumentBuilder();
              builder.parse(new InputSource(new ByteArrayInputStream(payload.getBytes("utf-8"))));
              return DesignServiceConstants.SUCCESS;
author	Mei Su <ms6523@att.com>
	Wed, 11 Jul 2018 15:55:24 +0000 (11:55 -0400)
committer	Takamune Cho <tc012c@att.com>
	Wed, 11 Jul 2018 23:52:23 +0000 (23:52 +0000)