From: mpriyank <priyank.maheshwari@est.tech>
Date: Thu, 5 Jan 2023 12:57:49 +0000 (+0000)
Subject: XEE prevention with all props
X-Git-Tag: 3.2.1~20
X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=b48469262c83dc1e88b12d162de88a05ce61159c;p=cps.git

XEE prevention with all props

- include all properties to prevent XEE for DocumentBuilderFactory

Issue-ID: CPS-1435
Change-Id: I5a740f34072af348fe2df282fba7babeff4299d8
Signed-off-by: mpriyank <priyank.maheshwari@est.tech>
---

diff --git a/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java b/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java
index 3030d702c2..10e1f50b54 100644
--- a/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java
+++ b/cps-service/src/main/java/org/onap/cps/utils/XmlFileUtils.java
@@ -161,8 +161,15 @@ public class XmlFileUtils {
         }
     }
 
-    private static DocumentBuilderFactory getDocumentBuilderFactory() {
+    private static DocumentBuilderFactory getDocumentBuilderFactory() throws ParserConfigurationException {
         if (isNewDocumentBuilderFactoryInstance) {
+            documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            documentBuilderFactory.setXIncludeAware(false);
+            documentBuilderFactory.setExpandEntityReferences(false);
+            documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             documentBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
             documentBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
             isNewDocumentBuilderFactoryInstance = false;