Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/1946
Upon testing this feature, I'm not sure it's necessary. Java SE 5+ has a
[restriction on entity expansion to 64,000 elements enabled by
default](https://docs.oracle.com/javase/1.5.0/docs/guide/xml/jaxp/JAXP-Compatibility_150.html#JAXP_security)
([more information from Blaise Doughan
here](http://blog.bdoughan.com/2011/03/preventing-entity-expansion-attacks-in.html)),
so if I try to ingest the following XXE file, I get an appropriate error
response:
```
<!DOCTYPE foo [
<!ENTITY a "1234567890" >
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;" >
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;" >
<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;" >
<!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;" >
<!ENTITY f "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;" >
<!ENTITY g "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;" >
<!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;" >
<!ENTITY i "&h;&h;&h;&h;&h;&h;&h;&h;&h;&h;" >
<!ENTITY j "&i;&i;&i;&i;&i;&i;&i;&i;&i;&i;" >
]>
<foo>&j;</foo>
```
Error when trying to view flowfile content in "formatted" view (current
master):
`2017-06-28 15:02:40,226 ERROR [NiFi Web Server-18]
o.a.nifi.web.ContentViewerController Unable to generate view of data: Unable to
transform content as XML: net.sf.saxon.trans.XPathException:
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; JAXP00010001:
The parser has encountered more than "64000" entity expansions in this
document; this is the limit imposed by the JDK.`
When routed to a `TransformXML` processor, I get an identical stacktrace in
all three of the following scenarios:
1. Current master
2. This patch applied with "Secure processing" `false`
3. This patch applied with "Secure processing" `true`
Stacktrace:
```
2017-06-28 15:04:49,456 ERROR [Timer-Driven Process Thread-9]
o.a.n.processors.standard.TransformXml
TransformXml[id=efe47d1c-015c-1000-7bae-719994808e8a] Unable to transform
StandardFlowFileRecord[uuid=9f91546e-f7b4-4113-97fa-6abb1006b8c9,claim=StandardContentClaim
[resourceClaim=StandardResourceClaim[id=1498687343214-1, container=default,
section=1], offset=485, length=485],offset=0,name=xxe.xml,size=485] due to
org.apache.nifi.processor.exception.ProcessException: IOException thrown from
TransformXml[id=efe47d1c-015c-1000-7bae-719994808e8a]: java.io.IOException:
net.sf.saxon.trans.XPathException: org.xml.sax.SAXParseException; lineNumber:
1; columnNumber: 1; JAXP00010001: The parser has encountered more than "64000"
entity expansions in this document; this is the limit imposed by the JDK.: {}
org.apache.nifi.processor.exception.ProcessException: IOException thrown
from TransformXml[id=efe47d1c-015c-1000-7bae-719994808e8a]:
java.io.IOException: net.sf.saxon.trans.XPathException:
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; JAXP00010001:
The parser has encountered more than "64000" entity expansions in this
document; this is the limit imposed by the JDK.
at
org.apache.nifi.controller.repository.StandardProcessSession.write(StandardProcessSession.java:2806)
at
org.apache.nifi.processors.standard.TransformXml.onTrigger(TransformXml.java:234)
at
org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27)
at
org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1120)
at
org.apache.nifi.controller.tasks.ContinuallyRunProcessorTask.call(ContinuallyRunProcessorTask.java:147)
at
org.apache.nifi.controller.tasks.ContinuallyRunProcessorTask.call(ContinuallyRunProcessorTask.java:47)
at
org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.run(TimerDrivenSchedulingAgent.java:132)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: net.sf.saxon.trans.XPathException:
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; JAXP00010001:
The parser has encountered more than "64000" entity expansions in this
document; this is the limit imposed by the JDK.
at
org.apache.nifi.processors.standard.TransformXml$2.process(TransformXml.java:261)
at
org.apache.nifi.controller.repository.StandardProcessSession.write(StandardProcessSession.java:2785)
... 13 common frames omitted
Caused by: net.sf.saxon.trans.XPathException:
org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; JAXP00010001:
The parser has encountered more than "64000" entity expansions in this
document; this is the limit imposed by the JDK.
at net.sf.saxon.event.Sender.sendSAXSource(Sender.java:460)
at net.sf.saxon.event.Sender.send(Sender.java:171)
at net.sf.saxon.Controller.transform(Controller.java:1692)
at
net.sf.saxon.s9api.XsltTransformer.transform(XsltTransformer.java:547)
at net.sf.saxon.jaxp.TransformerImpl.transform(TransformerImpl.java:179)
at
org.apache.nifi.processors.standard.TransformXml$2.process(TransformXml.java:259)
... 14 common frames omitted
Caused by: org.xml.sax.SAXParseException: JAXP00010001: The parser has
encountered more than "64000" entity expansions in this document; this is the
limit imposed by the JDK.
at
com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:203)
at
com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(ErrorHandlerWrapper.java:177)
at
com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:400)
at
com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:327)
at
com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:284)
at
com.sun.org.apache.xerces.internal.impl.XMLEntityManager.startEntity(XMLEntityManager.java:1317)
at
com.sun.org.apache.xerces.internal.impl.XMLEntityManager.startEntity(XMLEntityManager.java:1241)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEntityReference(XMLDocumentFragmentScannerImpl.java:1902)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:3058)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
at
com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:118)
at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:504)
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848)
at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)
at
com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
at
com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
at net.sf.saxon.event.Sender.sendSAXSource(Sender.java:440)
... 19 common frames omitted
```
If this protection is enabled by the JRE, and disabling "Secure processing"
doesn't affect it, what does this feature provide?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
