commit d59f36ce062b31be67221f6b668abaeb54011d49
author Andrea Campanella <andrea@opennetworking.org> Thu Jun 14 14:42:04 2018 +0200
committer Andrea Campanella <andrea@opennetworking.org> Fri Jun 22 07:34:26 2018 +0000
tree d2fa7ef0f5cd9ebfe64a0de6bc0d3b0c7d75f669
parent 2bd11b79bf5e11943b124f88e4e9c5268613ad0d

Fixing XXE attacks through NETCONF Alarms

Change-Id: I3426ebfe4ede9e4a13f753be6ba2b73e3db70876

providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java

diff --git a/providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java b/providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java
index 10c653c..a614635 100644
--- a/providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java
+++ b/providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java
@@ -56,6 +56,11 @@
     private final Logger log = getLogger(getClass());
     private static final String EVENTTIME_TAGNAME = "eventTime";
 
+    private static final String DISALLOW_DTD_FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
+
+    private static final String DISALLOW_EXTERNAL_DTD =
+            "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+
     @Override
     public Collection<Alarm> translateToAlarm(DeviceId deviceId, InputStream message) {
         try {
@@ -93,10 +98,25 @@
     private Document createDocFromMessage(InputStream message)
             throws SAXException, IOException, ParserConfigurationException {
         DocumentBuilderFactory dbfactory = DocumentBuilderFactory.newInstance();
+        //Disabling DTDs in order to avoid XXE xml-based attacks.
+        disableFeature(dbfactory, DISALLOW_DTD_FEATURE);
+        disableFeature(dbfactory, DISALLOW_EXTERNAL_DTD);
+        dbfactory.setXIncludeAware(false);
+        dbfactory.setExpandEntityReferences(false);
         DocumentBuilder builder = dbfactory.newDocumentBuilder();
         return builder.parse(new InputSource(message));
     }
 
+    private void disableFeature(DocumentBuilderFactory dbfactory, String feature) {
+        try {
+            dbfactory.setFeature(feature, true);
+        } catch (ParserConfigurationException e) {
+            // This should catch a failed setFeature feature
+            log.info("ParserConfigurationException was thrown. The feature '" +
+                    feature + "' is probably not supported by your XML processor.");
+        }
+    }
+
     private long parseDate(String timeStr)
             throws UnsupportedOperationException, IllegalArgumentException {
         return DateTimeFormatter.ISO_DATE_TIME.parse(timeStr, Instant::from).getEpochSecond();
@@ -111,4 +131,4 @@
         transformer.transform(source, new StreamResult(writer));
         return writer.getBuffer().toString();
     }
-}
+}
\ No newline at end of file