Fix XML external entity vulnerability (CCSDK-3322)

Disabled XML external entity references to resolve XML external entity
vulnerability in 'VNFOperationalStateValidatorImpl.java'

Issue-ID: CCSDK-3322
Signed-off-by: Jonathan Platt <jonathan.platt@att.com>
Change-Id: I88dc0a0ef8e9a587e8f9b3be15ef55e70c687b6e

diff --git a/adaptors/netconf-adaptor/netconf-adaptor-bundle/src/main/java/org/onap/ccsdk/sli/adaptors/netconf/VNFOperationalStateValidatorImpl.java b/adaptors/netconf-adaptor/netconf-adaptor-bundle/src/main/java/org/onap/ccsdk/sli/adaptors/netconf/VNFOperationalStateValidatorImpl.java
index 3a6b142..44d7bdb 100644 (file)
--- a/adaptors/netconf-adaptor/netconf-adaptor-bundle/src/main/java/org/onap/ccsdk/sli/adaptors/netconf/VNFOperationalStateValidatorImpl.java
+++ b/adaptors/netconf-adaptor/netconf-adaptor-bundle/src/main/java/org/onap/ccsdk/sli/adaptors/netconf/VNFOperationalStateValidatorImpl.java
@@ -85,6 +85,8 @@ public class VNFOperationalStateValidatorImpl implements OperationalStateValidat
         List<Map.Entry> entryList = null;
 
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        // Remediate XML external entity vulnerabilty - prohibit the use of all protocols by external entities:
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         DocumentBuilder builder = factory.newDocumentBuilder();
         Document document = builder.parse(new ByteArrayInputStream(xmlText.getBytes(StandardCharsets.UTF_8)));