Fix CRITICAL xxe (XML External Entity) issues identified in sonarcloud

author wr148d <wr148d@att.com>

Tue, 20 Jul 2021 17:00:28 +0000 (13:00 -0400)

committer wr148d <wr148d@att.com>

Tue, 20 Jul 2021 17:55:15 +0000 (13:55 -0400)
author wr148d <wr148d@att.com>
Tue, 20 Jul 2021 17:00:28 +0000 (13:00 -0400)
committer wr148d <wr148d@att.com>
Tue, 20 Jul 2021 17:55:15 +0000 (13:55 -0400)
diff --git a/aai-schema-gen/src/main/java/org/onap/aai/schemagen/genxsd/OxmFileProcessor.java b/aai-schema-gen/src/main/java/org/onap/aai/schemagen/genxsd/OxmFileProcessor.java

index 39eb9d9..d9c544d 100644 (file)
--- a/aai-schema-gen/src/main/java/org/onap/aai/schemagen/genxsd/OxmFileProcessor.java
+++ b/aai-schema-gen/src/main/java/org/onap/aai/schemagen/genxsd/OxmFileProcessor.java
@@ -221,6 +221,11 @@ public abstract class OxmFileProcessor {
          try {
              DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
              dbFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            dbFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            dbFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            dbFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            dbFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
              dBuilder = dbFactory.newDocumentBuilder();
          } catch (ParserConfigurationException e) {
              throw e;
diff --git a/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/NodeIngestor.java b/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/NodeIngestor.java

index 16136d5..2c32985 100644 (file)
--- a/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/NodeIngestor.java
+++ b/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/NodeIngestor.java
@@ -113,6 +113,11 @@ public class NodeIngestor {
          Set<String> types = new HashSet<>();
          final DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
          docFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        docFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        docFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        docFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
          final DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
  
          ArrayList<Node> javaTypes = new ArrayList<>();
@@ -136,6 +141,11 @@ public class NodeIngestor {
      private Document createCombinedSchema(List<String> files, SchemaVersion v) throws ParserConfigurationException, SAXException, IOException {
          final DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
          docFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        docFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        docFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        docFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
          final DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
          DocumentBuilder masterDocBuilder = docFactory.newDocumentBuilder();
          Document combinedDoc = masterDocBuilder.parse(getShell(v));
diff --git a/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/validation/DefaultDuplicateNodeDefinitionValidationModule.java b/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/validation/DefaultDuplicateNodeDefinitionValidationModule.java

index 915a54d..ac3a450 100644 (file)
--- a/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/validation/DefaultDuplicateNodeDefinitionValidationModule.java
+++ b/aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/validation/DefaultDuplicateNodeDefinitionValidationModule.java
@@ -54,6 +54,11 @@ public class DefaultDuplicateNodeDefinitionValidationModule implements Duplicate
                 try {
                         final DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
                         docFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            docFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            docFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            docFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            docFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
                         final DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
  
                         Multimap<String, String> types = ArrayListMultimap.create();
author	wr148d <wr148d@att.com>
	Tue, 20 Jul 2021 17:00:28 +0000 (13:00 -0400)
committer	wr148d <wr148d@att.com>
	Tue, 20 Jul 2021 17:55:15 +0000 (13:55 -0400)
aai-schema-gen/src/main/java/org/onap/aai/schemagen/genxsd/OxmFileProcessor.java		patch \| blob \| history
aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/NodeIngestor.java		patch \| blob \| history
aai-schema-service/src/main/java/org/onap/aai/schemaservice/nodeschema/validation/DefaultDuplicateNodeDefinitionValidationModule.java		patch \| blob \| history