[jira] [Commented] (NIFI-4125) Add basic security settings to TransformXml

Mon, 26 Jun 2017 13:50:26 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-4125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16063762#comment-16063762
 ] 

ASF GitHub Bot commented on NIFI-4125:
--------------------------------------

Github user mattyb149 commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/1946#discussion_r124117425
  
    --- Diff: 
nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/TransformXml.java
 ---
    @@ -166,8 +178,17 @@ protected PropertyDescriptor 
getSupportedDynamicPropertyDescriptor(final String
                     .build();
         }
     
    -    private Templates newTemplates(String path) throws 
TransformerConfigurationException {
    +    private Templates newTemplates(ProcessContext context, String path) 
throws TransformerConfigurationException {
    +        final Boolean secureProcessing = 
context.getProperty(SECURE_PROCESSING).asBoolean();
             TransformerFactory factory = TransformerFactory.newInstance();
    +
    +        if (secureProcessing) {
    +            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, 
true);
    +            // don't be overly DTD-unfriendly forcing 
http://apache.org/xml/features/disallow-doctype-decl
    +            
factory.setFeature("http://saxon.sf.net/feature/parserFeature?uri=http://xml.org/sax/features/external-parameter-entities";,
 false);
    --- End diff --
    
    Ouch!  Oh well, if it works it works :)


> Add basic security settings to TransformXml
> -------------------------------------------
>
>                 Key: NIFI-4125
>                 URL: https://issues.apache.org/jira/browse/NIFI-4125
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 1.3.0
>            Reporter: Yuri
>            Priority: Minor
>              Labels: newbie, security, xslt
>
> Since data flows can generally deal with non-trusted data, the processors 
> should handle it in a secure manner.
> In case of XML there are various known vulnerabilities - 
> [OWASP|https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing].
>  Some can be mitigated via XML parser/XSLT Processor features.
> The TransformXml processor should have a setting enabling these secure 
> settings.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to