From 6d6fde75df5837c67a0e098eda59a60bc6923041 Mon Sep 17 00:00:00 2001 From: "waqas.ikram" Date: Tue, 29 Jun 2021 13:33:51 +0100 Subject: [PATCH] Fixing XML parsers security bug Change-Id: I8a4f156196af47272a2732b1fbddafb6f0eb1f4d Issue-ID: SO-3668 Signed-off-by: waqas.ikram --- .../org/onap/so/adapters/tasks/orchestration/PollService.java | 7 +++---- .../onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java | 9 +++++++-- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java index 44d394730f..dfb3075d00 100644 --- a/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java +++ b/adapters/mso-openstack-adapters/src/main/java/org/onap/so/adapters/tasks/orchestration/PollService.java @@ -32,6 +32,7 @@ import javax.xml.XMLConstants; import javax.xml.bind.JAXB; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; +import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.mutable.MutableBoolean; import org.camunda.bpm.client.task.ExternalTask; import org.camunda.bpm.client.task.ExternalTaskService; @@ -76,8 +77,6 @@ public class PollService extends ExternalTaskUtils { private static final Logger logger = LoggerFactory.getLogger(PollService.class); - private static final String EMPTY_STRING = ""; - @Autowired private MsoVnfAdapterImpl vnfAdapterImpl; @@ -326,8 +325,8 @@ public class PollService extends ExternalTaskUtils { protected Optional findRequestType(final String xmlString) { try { final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, EMPTY_STRING); - factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, EMPTY_STRING); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, StringUtils.EMPTY); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, StringUtils.EMPTY); final DocumentBuilder builder = factory.newDocumentBuilder(); final Document doc = builder.parse(new ByteArrayInputStream(xmlString.getBytes(StandardCharsets.UTF_8))); diff --git a/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java b/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java index 5b40768573..7ed8447fa6 100644 --- a/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java +++ b/bpmn/so-bpmn-tasks/src/main/java/org/onap/so/bpmn/infrastructure/sdnc/tasks/SDNCRequestTasks.java @@ -22,6 +22,7 @@ package org.onap.so.bpmn.infrastructure.sdnc.tasks; import java.io.StringReader; import java.io.StringWriter; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.Transformer; @@ -30,6 +31,7 @@ import javax.xml.transform.dom.DOMSource; import javax.xml.transform.stream.StreamResult; import javax.xml.xpath.XPath; import javax.xml.xpath.XPathFactory; +import org.apache.commons.lang3.StringUtils; import org.camunda.bpm.engine.delegate.DelegateExecution; import org.onap.logging.filter.base.ONAPComponents; import org.onap.so.bpmn.infrastructure.sdnc.exceptions.SDNCErrorResponseException; @@ -151,8 +153,11 @@ public class SDNCRequestTasks { } protected String getXmlElement(final Document doc, final String exp) throws Exception { - final TransformerFactory tf = TransformerFactory.newInstance(); - final Transformer transformer = tf.newTransformer(); + final TransformerFactory factory = TransformerFactory.newInstance(); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, StringUtils.EMPTY); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, StringUtils.EMPTY); + + final Transformer transformer = factory.newTransformer(); final StringWriter writer = new StringWriter(); transformer.transform(new DOMSource(doc), new StreamResult(writer)); logger.debug(writer.getBuffer().toString()); -- 2.16.6