Code Review / cps.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 90a28b6)
XXE prevention 46/132846/5
authormpriyank <priyank.maheshwari@est.tech>
Tue, 3 Jan 2023 14:17:36 +0000 (14:17 +0000)
committermpriyank <priyank.maheshwari@est.tech>
Wed, 4 Jan 2023 13:28:20 +0000 (13:28 +0000)
- xml external entity prevention in the XmlFileUtils
- setting the features only once for the document builder factory

Issue-ID: CPS-1435
Change-Id: I06f9ac4bcdb0a90262f237489c6c50d8fde33c0d
Signed-off-by: mpriyank <priyank.maheshwari@est.tech>
cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java patch | blob | history

diff --git a/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java b/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java
index be592f0..bbff5ef 100644 (file)
--- a/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java
+++ b/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java
@@ -49,7 +49,8 @@ import org.xml.sax.SAXException;
 @NoArgsConstructor(access = AccessLevel.PRIVATE)
 public class XmlFileUtils {
 
-    private static DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
+    private static final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+    private static boolean isNewDocumentBuilderFactoryInstance = true;
     private static final Pattern XPATH_PROPERTY_REGEX =
         Pattern.compile("\\[@(\\S{1,100})=['\\\"](\\S{1,100})['\\\"]\\]");
 
@@ -98,7 +99,7 @@ public class XmlFileUtils {
                                                  final String namespace,
                                                  final Map<String, String> rootNodeProperty)
         throws IOException, SAXException, ParserConfigurationException, TransformerException {
-        final DocumentBuilder documentBuilder = dbFactory.newDocumentBuilder();
+        final DocumentBuilder documentBuilder = getDocumentBuilderFactory().newDocumentBuilder();
         final StringBuilder xmlStringBuilder = new StringBuilder();
         xmlStringBuilder.append(xmlContent);
         final Document document = documentBuilder.parse(
@@ -145,8 +146,8 @@ public class XmlFileUtils {
                                     final String namespace,
                                     final Map<String, String> rootNodeProperty) {
         try {
-            final DocumentBuilder docBuilder = dbFactory.newDocumentBuilder();
-            final Document document = docBuilder.newDocument();
+            final DocumentBuilder documentBuilder = getDocumentBuilderFactory().newDocumentBuilder();
+            final Document document = documentBuilder.newDocument();
             final Element rootElement = document.createElementNS(namespace, tagName);
             for (final Map.Entry<String, String> entry : rootNodeProperty.entrySet()) {
                 final Element propertyElement = document.createElement(entry.getKey());
@@ -160,4 +161,14 @@ public class XmlFileUtils {
             throw new DataValidationException("Can't parse XML", "XML can't be parsed", exception);
         }
     }
+
+    private static DocumentBuilderFactory getDocumentBuilderFactory() throws ParserConfigurationException {
+        if (isNewDocumentBuilderFactoryInstance) {
+            documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            isNewDocumentBuilderFactoryInstance = false;
+        }
+
+        return documentBuilderFactory;
+    }
 }
"cps"