[jira] [Commented] (NIFI-4125) Add basic security settings to TransformXml

Tue, 27 Jun 2017 17:38:41 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-4125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16065731#comment-16065731
 ] 

ASF GitHub Bot commented on NIFI-4125:
--------------------------------------

Github user alopresto commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/1946#discussion_r124429931
  
    --- Diff: 
nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/TransformXml.java
 ---
    @@ -98,6 +99,16 @@
                 .addValidator(StandardValidators.BOOLEAN_VALIDATOR)
                 .build();
     
    +    public static final PropertyDescriptor SECURE_PROCESSING = new 
PropertyDescriptor.Builder()
    +            .name("secure-processing")
    +            .displayName("Secure processing")
    +            .description("Whether or not to mitigate various XML-related 
attacks like XXE (XML External Entity) attacks.")
    +            .required(true)
    +            .defaultValue("false")
    --- End diff --
    
    No worries, I found those comments in the email thread but for some reason 
they did not show for me in the GitHub UI. I understand the desire for backward 
compatibility but this is a security fix, so as long as it is well-documented 
in the processor and the release notes/migration notes for the release that 
contains this, I think `true` is a safe choice. 


> Add basic security settings to TransformXml
> -------------------------------------------
>
>                 Key: NIFI-4125
>                 URL: https://issues.apache.org/jira/browse/NIFI-4125
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 1.3.0
>            Reporter: Yuri
>            Priority: Minor
>              Labels: newbie, security, xslt
>
> Since data flows can generally deal with non-trusted data, the processors 
> should handle it in a secure manner.
> In case of XML there are various known vulnerabilities - 
> [OWASP|https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing].
>  Some can be mitigated via XML parser/XSLT Processor features.
> The TransformXml processor should have a setting enabling these secure 
> settings.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to