[jira] [Commented] (NIFI-4125) Add basic security settings to TransformXml

Wed, 28 Jun 2017 22:50:53 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-4125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16067783#comment-16067783
 ] 

ASF GitHub Bot commented on NIFI-4125:
--------------------------------------

Github user yuri1969 commented on the issue:

    https://github.com/apache/nifi/pull/1946
  
    The `transformXml` uses Saxon HE implementation of a XSLT Processor. So 
Saxon implements the features.
    
    - `FEATURE_SECURE_PROCESSING` is XSLT Processor feature that restricts XSLT 
functionality like `system-property()` to access Java system properties, using 
relative URIs in `xsl:result-document`, etc. So it should mitigate some threats 
coming from using non-trusted XSLTs.
    
    - both `http://xml.org/sax/features/external` are XML Parser features that 
restrict using `<!ENTITY` of `<!DOCTYPE` in a XML file. An attacker can use 
entities to obtain access to your FS. 
    
    For example a malicious non-trusted input XML:
    ```
    <?xml version="1.0" encoding="utf-8"?>
    <!DOCTYPE foo [
            <!ELEMENT foo ANY >
            <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
    <foo>&xxe;</foo>
    ```
    Then a XSLT output containing element `foo` leaks content of your 
/etc/passwd file.
    
    - Billion laughs/LOL bomb/Entity expansion DoS is trully secured by JRE 
default as you showed. So no need for a feature here.


> Add basic security settings to TransformXml
> -------------------------------------------
>
>                 Key: NIFI-4125
>                 URL: https://issues.apache.org/jira/browse/NIFI-4125
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 1.3.0
>            Reporter: Yuri
>            Priority: Minor
>              Labels: newbie, security, xslt
>
> Since data flows can generally deal with non-trusted data, the processors 
> should handle it in a secure manner.
> In case of XML there are various known vulnerabilities - 
> [OWASP|https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing].
>  Some can be mitigated via XML parser/XSLT Processor features.
> The TransformXml processor should have a setting enabling these secure 
> settings.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to