Fix XML external entity vulnerability (CCSDK-3324)

Disabled XML external entity references to resolve XML external entity
vulnerability in 'SdncUebCallback.java'

Issue-ID: CCSDK-3324
Signed-off-by: Jonathan Platt <jonathan.platt@att.com>
Change-Id: If959e915921042fdd0ba2ff16e167005ba1beed8

diff --git a/northbound/ueb-listener/src/main/java/org/onap/ccsdk/sli/northbound/uebclient/SdncUebCallback.java b/northbound/ueb-listener/src/main/java/org/onap/ccsdk/sli/northbound/uebclient/SdncUebCallback.java
index 8c3a290..ba06092 100644 (file)
--- a/northbound/ueb-listener/src/main/java/org/onap/ccsdk/sli/northbound/uebclient/SdncUebCallback.java
+++ b/northbound/ueb-listener/src/main/java/org/onap/ccsdk/sli/northbound/uebclient/SdncUebCallback.java
@@ -1194,9 +1194,10 @@ public class SdncUebCallback implements INotificationCallback {
 
                     outFile = File.createTempFile("tmp", "xml");
                     TransformerFactory factory = TransformerFactory.newInstance();
-                    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);  
-                    //factory.setFeature("http://xml.org/sax/features/external-general-entities", false); -- breaks transform
-                    //factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);                   
+                    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+                    // To remediate XML external entity vulnerability, completely disable external entities declarations:
+                    factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                    factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");               
                     Source xslt = new StreamSource(new File(xsltPath));
                     Transformer transformer = factory.newTransformer(xslt);
                     Source text = new StreamSource(inFile);