Fixing XXE attacks through NETCONF Alarms
Change-Id: I3426ebfe4ede9e4a13f753be6ba2b73e3db70876
diff --git a/providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java b/providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java
index 10c653c..a614635 100644
--- a/providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java
+++ b/providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java
@@ -56,6 +56,11 @@
private final Logger log = getLogger(getClass());
private static final String EVENTTIME_TAGNAME = "eventTime";
+ private static final String DISALLOW_DTD_FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
+
+ private static final String DISALLOW_EXTERNAL_DTD =
+ "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+
@Override
public Collection<Alarm> translateToAlarm(DeviceId deviceId, InputStream message) {
try {
@@ -93,10 +98,25 @@
private Document createDocFromMessage(InputStream message)
throws SAXException, IOException, ParserConfigurationException {
DocumentBuilderFactory dbfactory = DocumentBuilderFactory.newInstance();
+ //Disabling DTDs in order to avoid XXE xml-based attacks.
+ disableFeature(dbfactory, DISALLOW_DTD_FEATURE);
+ disableFeature(dbfactory, DISALLOW_EXTERNAL_DTD);
+ dbfactory.setXIncludeAware(false);
+ dbfactory.setExpandEntityReferences(false);
DocumentBuilder builder = dbfactory.newDocumentBuilder();
return builder.parse(new InputSource(message));
}
+ private void disableFeature(DocumentBuilderFactory dbfactory, String feature) {
+ try {
+ dbfactory.setFeature(feature, true);
+ } catch (ParserConfigurationException e) {
+ // This should catch a failed setFeature feature
+ log.info("ParserConfigurationException was thrown. The feature '" +
+ feature + "' is probably not supported by your XML processor.");
+ }
+ }
+
private long parseDate(String timeStr)
throws UnsupportedOperationException, IllegalArgumentException {
return DateTimeFormatter.ISO_DATE_TIME.parse(timeStr, Instant::from).getEpochSecond();
@@ -111,4 +131,4 @@
transformer.transform(source, new StreamResult(writer));
return writer.getBuffer().toString();
}
-}
+}
\ No newline at end of file