Code Review / controller.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
BUG-2511 Fix XXE vulnerability in initial config loaders
[controller.git] / opendaylight / config / config-persister-feature-adapter / src / main / java / org / opendaylight / controller / configpusherfeature / internal / FeatureConfigSnapshotHolder.java
diff --git a/opendaylight/config/config-persister-feature-adapter/src/main/java/org/opendaylight/controller/configpusherfeature/internal/FeatureConfigSnapshotHolder.java b/opendaylight/config/config-persister-feature-adapter/src/main/java/org/opendaylight/controller/configpusherfeature/internal/FeatureConfigSnapshotHolder.java
index d1a92ebe7f72ac0785268af77104d5bebb1c6fb8..518716cfa75b2043b189970719fd80fc8442701a 100644 (file)
--- a/opendaylight/config/config-persister-feature-adapter/src/main/java/org/opendaylight/controller/configpusherfeature/internal/FeatureConfigSnapshotHolder.java
+++ b/opendaylight/config/config-persister-feature-adapter/src/main/java/org/opendaylight/controller/configpusherfeature/internal/FeatureConfigSnapshotHolder.java
@@ -7,27 +7,28 @@
  */
 package org.opendaylight.controller.configpusherfeature.internal;
 
+import com.google.common.base.Preconditions;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.Iterables;
+import com.google.common.collect.Lists;
 import java.io.File;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.SortedSet;
-
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBException;
 import javax.xml.bind.Unmarshaller;
-
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamReader;
+import javax.xml.transform.stream.StreamSource;
 import org.apache.karaf.features.ConfigFileInfo;
 import org.apache.karaf.features.Feature;
 import org.opendaylight.controller.config.persist.api.ConfigSnapshotHolder;
 import org.opendaylight.controller.config.persist.storage.file.xml.model.ConfigSnapshot;
 
-import com.google.common.base.Preconditions;
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.Iterables;
-import com.google.common.collect.Lists;
-
 /*
  * A ConfigSnapshotHolder that can track all the additional information
  * relavent to the fact we are getting these from a Feature.
@@ -62,10 +63,18 @@ public class FeatureConfigSnapshotHolder implements ConfigSnapshotHolder {
         Preconditions.checkNotNull(feature);
         this.fileInfo = fileInfo;
         this.featureChain.add(feature);
+        // TODO extract utility method for umarshalling config snapshots
         JAXBContext jaxbContext = JAXBContext.newInstance(ConfigSnapshot.class);
         Unmarshaller um = jaxbContext.createUnmarshaller();
-        File file = new File(fileInfo.getFinalname());
-        unmarshalled = ((ConfigSnapshot) um.unmarshal(file));
+        XMLInputFactory xif = XMLInputFactory.newFactory();
+        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+        xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+        try {
+            XMLStreamReader xsr = xif.createXMLStreamReader(new StreamSource(new File(fileInfo.getFinalname())));
+            unmarshalled = ((ConfigSnapshot) um.unmarshal(xsr));
+        } catch (final XMLStreamException e) {
+            throw new JAXBException(e);
+        }
     }
     /*
      * (non-Javadoc)
@@ -106,16 +115,15 @@ public class FeatureConfigSnapshotHolder implements ConfigSnapshotHolder {
 
     @Override
     public String toString() {
-       StringBuilder b = new StringBuilder();
-       Path p = Paths.get(fileInfo.getFinalname());
-       b.append(p.getFileName())
-           .append("(")
-           .append(getCauseFeature())
-           .append(",")
-           .append(getFeature())
-           .append(")");
-       return b.toString();
-
+        StringBuilder b = new StringBuilder();
+        Path p = Paths.get(fileInfo.getFinalname());
+        b.append(p.getFileName())
+            .append("(")
+            .append(getCauseFeature())
+            .append(",")
+            .append(getFeature())
+            .append(")");
+        return b.toString();
     }
 
     @Override
OpenDaylight controller