From d6c76c07e016ef7dd3bf26ea945f1a3c736de412 Mon Sep 17 00:00:00 2001 From: guangxingwang Date: Thu, 22 Feb 2018 15:13:17 -0600 Subject: [PATCH] Fix Fortify Issue - External Entity Injection Fix Fortify Issue by setting secure process of factory as true Issue-ID: POLICY-551 Change-Id: I46890d2664d0ae9ed9540ba830d0f4b27136a6e9 Signed-off-by: guangxingwang --- .../src/main/java/org/onap/policy/utils/PolicyUtils.java | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/PolicyEngineUtils/src/main/java/org/onap/policy/utils/PolicyUtils.java b/PolicyEngineUtils/src/main/java/org/onap/policy/utils/PolicyUtils.java index 0f38232e1..e17ddc681 100644 --- a/PolicyEngineUtils/src/main/java/org/onap/policy/utils/PolicyUtils.java +++ b/PolicyEngineUtils/src/main/java/org/onap/policy/utils/PolicyUtils.java @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * PolicyEngineUtils * ================================================================================ - * Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2017-2018 AT&T Intellectual Property. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -31,6 +31,7 @@ import java.util.StringTokenizer; import java.util.regex.Matcher; import java.util.regex.Pattern; +import javax.xml.XMLConstants; import javax.xml.parsers.SAXParser; import javax.xml.parsers.SAXParserFactory; @@ -284,7 +285,9 @@ public class PolicyUtils { SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setValidating(false); factory.setNamespaceAware(true); - try { + + try { + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); SAXParser parser = factory.newSAXParser(); XMLReader reader = parser.getXMLReader(); reader.setErrorHandler(new XMLErrorHandler()); -- 2.16.6