greyp9 commented on code in PR #5962: URL: https://github.com/apache/nifi/pull/5962#discussion_r849740132
########## nifi-commons/nifi-xml-processing/src/main/java/org/apache/nifi/xml/processing/sax/StandardInputSourceParser.java: ########## @@ -0,0 +1,90 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.xml.processing.sax; + +import org.apache.nifi.xml.processing.ProcessingException; +import org.apache.nifi.xml.processing.ProcessingFeature; +import org.xml.sax.ContentHandler; +import org.xml.sax.InputSource; +import org.xml.sax.SAXException; +import org.xml.sax.XMLReader; + +import javax.xml.XMLConstants; +import javax.xml.parsers.ParserConfigurationException; +import javax.xml.parsers.SAXParser; +import javax.xml.parsers.SAXParserFactory; +import java.io.IOException; +import java.util.Objects; + +/** + * Standard implementation of Input Source Parser with secure processing enabled + */ +public class StandardInputSourceParser implements InputSourceParser { + private boolean namespaceAware; + + /** + * Set Namespace Aware status on SAXParserFactory + * + * @param namespaceAware Namespace Aware status + */ + public void setNamespaceAware(final boolean namespaceAware) { + this.namespaceAware = namespaceAware; + } + + /** + * Parse Input Source using Content Handler + * + * @param inputSource Input Source to be parsed + * @param contentHandler Content Handler used during parsing + */ + @Override + public void parse(final InputSource inputSource, final ContentHandler contentHandler) { + Objects.requireNonNull(inputSource, "InputSource required"); + Objects.requireNonNull(contentHandler, "ContentHandler required"); + + try { + parseInputSource(inputSource, contentHandler); + } catch (final ParserConfigurationException|SAXException e) { + throw new ProcessingException("Parser Configuration failed", e); Review Comment: This would encompass both the parser configuration and the parse operation. `Parser Configuration / Parse Operation failed` ########## nifi-commons/nifi-xml-processing/src/main/java/org/apache/nifi/xml/processing/parsers/StandardDocumentProvider.java: ########## @@ -0,0 +1,126 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.xml.processing.parsers; + +import org.apache.nifi.xml.processing.ProcessingException; +import org.apache.nifi.xml.processing.ProcessingFeature; +import org.w3c.dom.Document; +import org.xml.sax.ErrorHandler; +import org.xml.sax.SAXException; + +import javax.xml.XMLConstants; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; +import javax.xml.validation.Schema; +import java.io.IOException; +import java.io.InputStream; +import java.util.Objects; + +/** + * Standard implementation of Document Provider with secure processing enabled + */ +public class StandardDocumentProvider implements DocumentProvider { + private boolean namespaceAware; + + private Schema schema; + + private ErrorHandler errorHandler; + + /** + * Set Error Handler + * + * @param errorHandler Error Handler + */ + public void setErrorHandler(final ErrorHandler errorHandler) { + this.errorHandler = errorHandler; + } + + /** + * Set Namespace Aware status on DocumentBuilderFactory + * + * @param namespaceAware Namespace Awareness + */ + public void setNamespaceAware(final boolean namespaceAware) { + this.namespaceAware = namespaceAware; + } + + /** + * Set Namespace Aware status on DocumentBuilderFactory + * + * @param schema Schema for validation or null to disable validation + */ + public void setSchema(final Schema schema) { + this.schema = schema; + } + + @Override + public Document newDocument() { + final DocumentBuilderFactory documentBuilderFactory = getDocumentBuilderFactory(); + + try { + documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, ProcessingFeature.SECURE_PROCESSING.isEnabled()); Review Comment: What is the benefit of defining the value here to be a lookup? ########## nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/EvaluateXPath.java: ########## @@ -137,7 +138,7 @@ public class EvaluateXPath extends AbstractProcessor { .description("Specifies whether or not the XML content should be validated against the DTD.") .required(true) .allowableValues("true", "false") - .defaultValue("true") Review Comment: Is there a little context for this change? ########## nifi-framework-api/src/main/java/org/apache/nifi/authorization/AbstractPolicyBasedAuthorizer.java: ########## @@ -427,8 +429,7 @@ private PoliciesUsersAndGroups parsePoliciesUsersAndGroups(final String fingerpr final byte[] fingerprintBytes = fingerprint.getBytes(StandardCharsets.UTF_8); try (final ByteArrayInputStream in = new ByteArrayInputStream(fingerprintBytes)) { - final DocumentBuilder docBuilder = createSafeDocumentBuilder(); - final Document document = docBuilder.parse(in); + final Document document = parseFingerprint(in); Review Comment: Why doesn't this usage use the new `StandardDocumentProvider`? ########## nifi-commons/nifi-xml-processing/src/main/java/org/apache/nifi/xml/processing/validation/StandardSchemaValidator.java: ########## @@ -0,0 +1,59 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.xml.processing.validation; + +import org.apache.nifi.xml.processing.ProcessingException; +import org.apache.nifi.xml.processing.ProcessingFeature; +import org.xml.sax.SAXException; + +import javax.xml.XMLConstants; +import javax.xml.transform.Source; +import javax.xml.validation.Schema; +import javax.xml.validation.Validator; +import java.io.IOException; +import java.util.Objects; + +/** + * Standard implementation of XML Schema Validator with secure processing enabled + */ +public class StandardSchemaValidator implements SchemaValidator { + /** + * Validate Source using Schema + * + * @param schema Schema source for Validator + * @param source Source to be validated + */ + @Override + public void validate(final Schema schema, final Source source) { Review Comment: Do we only support the specification of a single schema when validating a document? ########## nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/EvaluateXQuery.java: ########## @@ -156,7 +152,7 @@ public class EvaluateXQuery extends AbstractProcessor { .description("Specifies whether or not the XML content should be validated against the DTD.") .required(true) .allowableValues("true", "false") - .defaultValue("true") + .defaultValue("false") Review Comment: Why this change? ########## nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/EvaluateXPath.java: ########## @@ -162,10 +163,6 @@ public class EvaluateXPath extends AbstractProcessor { private final AtomicReference<XPathFactory> factoryRef = new AtomicReference<>(); - static { Review Comment: ! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
