Code Review / controller.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
BUG-2511 Fix XXE vulnerability in Netconf
[controller.git] / opendaylight / netconf / netconf-api / src / main / java / org / opendaylight / controller / netconf / api / NetconfDocumentedException.java
diff --git a/opendaylight/netconf/netconf-api/src/main/java/org/opendaylight/controller/netconf/api/NetconfDocumentedException.java b/opendaylight/netconf/netconf-api/src/main/java/org/opendaylight/controller/netconf/api/NetconfDocumentedException.java
index 0c365b9d30ebcb5463440404b0c9d10a3a015d5c..e1e932b55a31e709a5618dc23818cc848d07e088 100644 (file)
--- a/opendaylight/netconf/netconf-api/src/main/java/org/opendaylight/controller/netconf/api/NetconfDocumentedException.java
+++ b/opendaylight/netconf/netconf-api/src/main/java/org/opendaylight/controller/netconf/api/NetconfDocumentedException.java
@@ -21,10 +21,8 @@ import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Map.Entry;
-
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
-
 import org.opendaylight.controller.config.api.ConflictingVersionException;
 import org.opendaylight.controller.config.api.ValidationException;
 import org.slf4j.Logger;
@@ -47,6 +45,15 @@ public class NetconfDocumentedException extends Exception {
 
     static {
         BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
+        try {
+            BUILDER_FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            BUILDER_FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            BUILDER_FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            BUILDER_FACTORY.setXIncludeAware(false);
+            BUILDER_FACTORY.setExpandEntityReferences(false);
+        } catch (ParserConfigurationException e) {
+            throw new ExceptionInInitializerError(e);
+        }
         BUILDER_FACTORY.setNamespaceAware(true);
         BUILDER_FACTORY.setCoalescing(true);
         BUILDER_FACTORY.setIgnoringElementContentWhitespace(true);
OpenDaylight controller