Fix XML external entity vulnerability (CCSDK-3327)

Disabled XML external entity references to resolve XML external entity
vulnerability in 'XmlParser.java'

Issue-ID: CCSDK-3327
Issue-ID: CCSDK-3317
Signed-off-by: Jonathan Platt <jonathan.platt@att.com>
Change-Id: I7bae80f3e5858e05d6782c6a290fba33bc7a38ed

diff --git a/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java b/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java
index 6ea770a..154dbbf 100644 (file)
--- a/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java
+++ b/plugins/sshapi-call-node/provider/src/main/java/org/onap/ccsdk/sli/plugins/sshapicall/model/XmlParser.java
@@ -62,6 +62,9 @@ public final class XmlParser {
         Handler handler = new Handler(listNameList);
         try {
             SAXParserFactory factory = SAXParserFactory.newInstance();
+            // To remediate XML external entity vulnerability, completely disable external entities declarations:
+            factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
             SAXParser saxParser = factory.newSAXParser();
             InputStream in = new ByteArrayInputStream(s.getBytes());
             saxParser.parse(in, handler);