From: Jonathan Platt <jonathan.platt@att.com>
Date: Tue, 13 Jul 2021 17:55:12 +0000 (-0400)
Subject: Fix XML external entity vulnerability (CCSDK-3323)
X-Git-Tag: 1.3.0~9
X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F10%2F122610%2F1;p=ccsdk%2Fsli.git

Fix XML external entity vulnerability (CCSDK-3323)

Disabled XML external entity references to resolve XML external entity
vulnerability in 'SvcLogicParser.java'

Issue-ID: CCSDK-3323

Signed-off-by: Jonathan Platt <jonathan.platt@att.com>
Change-Id: Ic4a6a13e228a699abf60181a537198913900cec7
---

diff --git a/core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java b/core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java
index adec7b27d..fdceaad55 100644
--- a/core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java
+++ b/core/sli/common/src/main/java/org/onap/ccsdk/sli/core/sli/SvcLogicParser.java
@@ -598,6 +598,9 @@ public class SvcLogicParser {
         }
 
         SAXParserFactory factory = SAXParserFactory.newInstance();
+        // To remediate XML external entity vulnerability, completely disable external entities declarations:
+        factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
 
         if (schema != null) {
             factory.setNamespaceAware(true);