X-Git-Url: https://git.opendaylight.org/gerrit/gitweb?a=blobdiff_plain;f=common%2Fsrc%2Fmain%2Fjava%2Forg%2Fopendaylight%2Ftransportpce%2Fcommon%2Fconverter%2FXMLDataObjectConverter.java;h=1e18cd8aebee1d4c413fb62a86c022af8dfc831c;hb=20142c021b939f7c4386f4d53d98c87d8811b1b8;hp=5afbb407571ee08efe25fd5671a10667c375234f;hpb=e4a554e661804d03c14c9e65d8332e576af801b4;p=transportpce.git diff --git a/common/src/main/java/org/opendaylight/transportpce/common/converter/XMLDataObjectConverter.java b/common/src/main/java/org/opendaylight/transportpce/common/converter/XMLDataObjectConverter.java index 5afbb4075..1e18cd8ae 100644 --- a/common/src/main/java/org/opendaylight/transportpce/common/converter/XMLDataObjectConverter.java +++ b/common/src/main/java/org/opendaylight/transportpce/common/converter/XMLDataObjectConverter.java @@ -17,7 +17,6 @@ import java.util.Optional; import javax.annotation.Nonnull; import javax.xml.XMLConstants; import javax.xml.parsers.FactoryConfigurationError; -import javax.xml.parsers.ParserConfigurationException; import javax.xml.stream.XMLInputFactory; import javax.xml.stream.XMLOutputFactory; import javax.xml.stream.XMLStreamException; @@ -33,10 +32,11 @@ import org.opendaylight.yangtools.yang.data.api.schema.NormalizedNode; import org.opendaylight.yangtools.yang.data.api.schema.stream.NormalizedNodeStreamWriter; import org.opendaylight.yangtools.yang.data.api.schema.stream.NormalizedNodeWriter; import org.opendaylight.yangtools.yang.data.codec.xml.XMLStreamNormalizedNodeStreamWriter; +import org.opendaylight.yangtools.yang.data.codec.xml.XmlCodecFactory; import org.opendaylight.yangtools.yang.data.codec.xml.XmlParserStream; import org.opendaylight.yangtools.yang.data.impl.schema.ImmutableNormalizedNodeStreamWriter; import org.opendaylight.yangtools.yang.data.impl.schema.NormalizedNodeResult; -import org.opendaylight.yangtools.yang.model.api.SchemaContext; +import org.opendaylight.yangtools.yang.model.api.EffectiveModelContext; import org.opendaylight.yangtools.yang.model.api.SchemaNode; import org.opendaylight.yangtools.yang.model.api.SchemaPath; import org.slf4j.Logger; @@ -56,9 +56,12 @@ public final class XMLDataObjectConverter extends AbstractDataObjectConverter { * @param codecRegistry codec registry used for converting * */ - private XMLDataObjectConverter(SchemaContext schemaContext, BindingNormalizedNodeSerializer codecRegistry) { + private XMLDataObjectConverter(EffectiveModelContext schemaContext, BindingNormalizedNodeSerializer codecRegistry) { super(schemaContext, codecRegistry); this.xmlInputFactory = XMLInputFactory.newInstance(); + // set external DTD and schema to null to avoid vulnerability (sonar report) + this.xmlInputFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + this.xmlInputFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); } /** @@ -80,7 +83,7 @@ public final class XMLDataObjectConverter extends AbstractDataObjectConverter { * @param codecRegistry codec registry used for converting * @return new {@link XMLDataObjectConverter} */ - public static XMLDataObjectConverter createWithSchemaContext(@Nonnull SchemaContext schemaContext, + public static XMLDataObjectConverter createWithSchemaContext(@Nonnull EffectiveModelContext schemaContext, @Nonnull BindingNormalizedNodeSerializer codecRegistry) { return new XMLDataObjectConverter(schemaContext, codecRegistry); } @@ -98,7 +101,7 @@ public final class XMLDataObjectConverter extends AbstractDataObjectConverter { XMLStreamReader reader = this.xmlInputFactory.createXMLStreamReader(inputStream); return parseInputXML(reader); } catch (XMLStreamException e) { - LOG.warn(e.getMessage(), e); + LOG.warn("XMLStreamException: {}", e.getMessage()); return Optional.empty(); } } @@ -109,7 +112,7 @@ public final class XMLDataObjectConverter extends AbstractDataObjectConverter { XMLStreamReader reader = this.xmlInputFactory.createXMLStreamReader(inputReader); return parseInputXML(reader, parentSchema); } catch (XMLStreamException e) { - LOG.warn(e.getMessage(), e); + LOG.warn("XMLStreamException: {}", e.getMessage()); return Optional.empty(); } } @@ -127,7 +130,7 @@ public final class XMLDataObjectConverter extends AbstractDataObjectConverter { XMLStreamReader reader = this.xmlInputFactory.createXMLStreamReader(inputReader); return parseInputXML(reader); } catch (XMLStreamException e) { - LOG.warn(e.getMessage(), e); + LOG.warn("XMLStreamException: {}", e.getMessage()); return Optional.empty(); } } @@ -190,11 +193,11 @@ public final class XMLDataObjectConverter extends AbstractDataObjectConverter { XMLStreamReader reader, SchemaNode parentSchemaNode) { NormalizedNodeResult result = new NormalizedNodeResult(); try (NormalizedNodeStreamWriter streamWriter = ImmutableNormalizedNodeStreamWriter.from(result); - XmlParserStream xmlParser = XmlParserStream.create(streamWriter, getSchemaContext(), parentSchemaNode)) { + XmlParserStream xmlParser = XmlParserStream + .create(streamWriter, XmlCodecFactory.create(getSchemaContext()), parentSchemaNode)) { xmlParser.parse(reader); - } catch (XMLStreamException | URISyntaxException | IOException | ParserConfigurationException - | SAXException e) { - LOG.warn("An error {} occured during parsing XML input stream", e.getMessage(), e); + } catch (XMLStreamException | URISyntaxException | IOException | SAXException e) { + LOG.warn("An error occured during parsing XML input stream", e); return Optional.empty(); } return Optional.ofNullable(result.getResult()); @@ -233,7 +236,7 @@ public final class XMLDataObjectConverter extends AbstractDataObjectConverter { factory.setProperty(XMLOutputFactory.IS_REPAIRING_NAMESPACES, true); xmlStreamWriter = factory.createXMLStreamWriter(backingWriter); } catch (XMLStreamException | FactoryConfigurationError e) { - LOG.error("Error [{}] while creating XML writer", e.getMessage(), e); + LOG.error("Error while creating XML writer: ", e); throw new IllegalStateException(e); } return xmlStreamWriter;