From: Mei Su <ms6523@att.com>
Date: Wed, 11 Jul 2018 15:55:24 +0000 (-0400)
Subject: Fix XML injection issue
X-Git-Tag: 1.4.0~185
X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F27%2F56227%2F3;p=appc.git

Fix XML injection issue

Fix XML injection security issue

Issue-ID: APPC-1068
Change-Id: Id534da6d0c8287ba32febd959c81c313ee21302a
Signed-off-by: Mei Su <ms6523@att.com>
---

diff --git a/appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validator/ValidatorService.java b/appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validator/ValidatorService.java
index eaf5478c4..9f1715e60 100644
--- a/appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validator/ValidatorService.java
+++ b/appc-inbound/appc-design-services/provider/src/main/java/org/onap/appc/design/validator/ValidatorService.java
@@ -35,6 +35,7 @@ import java.io.Reader;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.XMLConstants;
 import org.apache.velocity.app.Velocity;
 import org.apache.velocity.app.VelocityEngine;
 import org.apache.velocity.exception.MethodInvocationException;
@@ -134,6 +135,10 @@ public class ValidatorService {
 
         try {
             DocumentBuilderFactory dBF = DocumentBuilderFactory.newInstance();
+            dBF.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            dBF.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            dBF.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+
             DocumentBuilder builder = dBF.newDocumentBuilder();
             builder.parse(new InputSource(new ByteArrayInputStream(payload.getBytes("utf-8"))));
             return DesignServiceConstants.SUCCESS;