From: Jonathan Platt <jonathan.platt@att.com>
Date: Tue, 13 Jul 2021 15:27:33 +0000 (-0400)
Subject: Fix XML external entity vulnerability
X-Git-Tag: 1.2.0~30
X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=d5c8465211b61f2ef8529aec851a2ca6b6b0d2ca;p=ccsdk%2Ffeatures.git

Fix XML external entity vulnerability

Disabled XML external entity references to resolve XML external entity
vulnerability. Also removed commented-out lines of code from previous
attempt to resolve XML external entity vulnerability.

Issue-ID: CCSDK-3321
Signed-off-by: Jonathan Platt <jonathan.platt@att.com>
Change-Id: Icb142cd1ace84c40d342ce0f08f418f43cc080e8
---

diff --git a/sdnr/wt/common/src/main/java/org/onap/ccsdk/features/sdnr/wt/common/file/PomFile.java b/sdnr/wt/common/src/main/java/org/onap/ccsdk/features/sdnr/wt/common/file/PomFile.java
index 2e0701257..c19cea08d 100644
--- a/sdnr/wt/common/src/main/java/org/onap/ccsdk/features/sdnr/wt/common/file/PomFile.java
+++ b/sdnr/wt/common/src/main/java/org/onap/ccsdk/features/sdnr/wt/common/file/PomFile.java
@@ -41,10 +41,8 @@ public class PomFile {
 
     public PomFile(InputStream is) throws ParserConfigurationException, SAXException, IOException {
         DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
-        //		documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-        //		documentBuilderFactory.setFeature(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
-        //		documentBuilderFactory.setFeature(XMLInputFactory.SUPPORT_DTD, false);
-
+        // Remediate XML external entity vulnerabilty - prohibit the use of all protocols by external entities:
+        documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
         this.xmlDoc = documentBuilder.parse(is);
     }