[
https://issues.apache.org/jira/browse/NIFI-4125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16063765#comment-16063765
]
ASF GitHub Bot commented on NIFI-4125:
--------------------------------------
Github user mattyb149 commented on a diff in the pull request:
https://github.com/apache/nifi/pull/1946#discussion_r124117608
--- Diff:
nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/TransformXml.java
---
@@ -98,6 +99,16 @@
.addValidator(StandardValidators.BOOLEAN_VALIDATOR)
.build();
+ public static final PropertyDescriptor SECURE_PROCESSING = new
PropertyDescriptor.Builder()
+ .name("secure-processing")
+ .displayName("Secure processing")
+ .description("Whether or not to mitigate various XML-related
attacks like XXE (XML External Entity) attacks.")
+ .required(true)
+ .defaultValue("true")
--- End diff --
I'm not sure if there's an official backwards-compatibility policy, but I
think to be safe, when adding new (optional) functionality via a processor
property, the default value should match the existing behavior (in this case
false).
> Add basic security settings to TransformXml
> -------------------------------------------
>
> Key: NIFI-4125
> URL: https://issues.apache.org/jira/browse/NIFI-4125
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Affects Versions: 1.3.0
> Reporter: Yuri
> Priority: Minor
> Labels: newbie, security, xslt
>
> Since data flows can generally deal with non-trusted data, the processors
> should handle it in a secure manner.
> In case of XML there are various known vulnerabilities -
> [OWASP|https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing].
> Some can be mitigated via XML parser/XSLT Processor features.
> The TransformXml processor should have a setting enabling these secure
> settings.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
