alopresto commented on a change in pull request #3507: NIFI-6301 - Added a
SafeXMLConfiguration which disables XML DTDs whic…
URL: https://github.com/apache/nifi/pull/3507#discussion_r289202083
##########
File path:
nifi-nar-bundles/nifi-standard-services/nifi-lookup-services-bundle/nifi-lookup-services/src/test/java/org/apache/nifi/lookup/TestXMLFileLookupService.java
##########
@@ -63,4 +63,23 @@ public void testXMLFileLookupService() throws
InitializationException, LookupFai
assertEquals(EMPTY_STRING, property4);
}
+ @Test
+ public void testXXEProtection() throws InitializationException {
+
+ // Arrange
+ final TestRunner runner =
TestRunners.newTestRunner(TestProcessor.class);
+ final XMLFileLookupService service = new XMLFileLookupService();
+ runner.addControllerService("xml-file-lookup-service", service);
+ runner.setProperty(service, XMLFileLookupService.CONFIGURATION_FILE,
"src/test/resources/test-xxe.xml");
+
+ try {
+ // Act
+ // Service will fail to enable because test-xxe.xml contains a DTD
Review comment:
When I run the actual NiFi instance, the service _is_ enabled. There is a
bulletin shown, and a stacktrace in the error log, but the service is enabled.
<img width="546" alt="Screen Shot 2019-05-30 at 2 57 56 PM"
src="https://user-images.githubusercontent.com/798465/58670063-b6ad0680-82f2-11e9-81e2-6af11a8c85d5.png";>
```
2019-05-30 14:59:20,528 ERROR [Timer-Driven Process Thread-9]
o.a.n.c.s.StandardControllerServiceNode
StandardControllerServiceNode{controllerServiceHolder=org.apache.nifi:nifi-lookup-services-nar:1.10.0-SNAPSHOT,
versionedComponentId=null, comment='',
processGroup=StandardProcessGroup[identifier=0abd5fbf-016b-1000-00a7-2df537bcba2a],
active=true} Failed to invoke @OnEnabled method due to
org.apache.nifi.reporting.InitializationException:
org.apache.commons.configuration2.ex.ConfigurationException: XML configuration
file contained an external entity. To prevent XXE vulnerabilities, NiFi has
external entity processing disabled.: {}
org.apache.nifi.reporting.InitializationException:
org.apache.commons.configuration2.ex.ConfigurationException: XML configuration
file contained an external entity. To prevent XXE vulnerabilities, NiFi has
external entity processing disabled.
at
org.apache.nifi.lookup.configuration2.CommonsConfigurationLookupService.onEnabled(CommonsConfigurationLookupService.java:121)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:142)
at
org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:130)
at
org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:75)
at
org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotation(ReflectionUtils.java:52)
at
org.apache.nifi.controller.service.StandardControllerServiceNode$2.run(StandardControllerServiceNode.java:435)
at org.apache.nifi.engine.FlowEngine$2.run(FlowEngine.java:110)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.commons.configuration2.ex.ConfigurationException: XML
configuration file contained an external entity. To prevent XXE
vulnerabilities, NiFi has external entity processing disabled.
at
org.apache.nifi.security.xml.SafeXMLConfiguration.delegateRead(SafeXMLConfiguration.java:139)
at
org.apache.nifi.security.xml.SafeXMLConfiguration.read(SafeXMLConfiguration.java:128)
at
org.apache.commons.configuration2.io.FileHandler.loadFromStreamDirectly(FileHandler.java:1080)
at
org.apache.commons.configuration2.io.FileHandler.loadFromStream(FileHandler.java:1055)
at
org.apache.commons.configuration2.io.FileHandler.load(FileHandler.java:990)
at
org.apache.commons.configuration2.io.FileHandler.load(FileHandler.java:973)
at
org.apache.commons.configuration2.io.FileHandler.load(FileHandler.java:702)
at
org.apache.commons.configuration2.builder.FileBasedConfigurationBuilder.initFileHandler(FileBasedConfigurationBuilder.java:312)
at
org.apache.commons.configuration2.builder.ReloadingFileBasedConfigurationBuilder.initFileHandler(ReloadingFileBasedConfigurationBuilder.java:185)
at
org.apache.commons.configuration2.builder.FileBasedConfigurationBuilder.initResultInstance(FileBasedConfigurationBuilder.java:291)
at
org.apache.commons.configuration2.builder.FileBasedConfigurationBuilder.initResultInstance(FileBasedConfigurationBuilder.java:60)
at
org.apache.commons.configuration2.builder.BasicConfigurationBuilder.createResult(BasicConfigurationBuilder.java:421)
at
org.apache.commons.configuration2.builder.BasicConfigurationBuilder.getConfiguration(BasicConfigurationBuilder.java:285)
at
org.apache.nifi.lookup.configuration2.CommonsConfigurationLookupService.onEnabled(CommonsConfigurationLookupService.java:119)
... 17 common frames omitted
Caused by: org.apache.commons.configuration2.ex.ConfigurationException:
Error parsing
file:/Users/alopresto/Workspace/nifi/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/resources/xxe_from_report.xml
at
org.apache.commons.configuration2.XMLConfiguration.load(XMLConfiguration.java:1030)
at
org.apache.commons.configuration2.XMLConfiguration.read(XMLConfiguration.java:996)
at
org.apache.nifi.security.xml.SafeXMLConfiguration.lambda$read$1(SafeXMLConfiguration.java:129)
at
org.apache.nifi.security.xml.SafeXMLConfiguration.delegateRead(SafeXMLConfiguration.java:135)
... 30 common frames omitted
Caused by: org.xml.sax.SAXParseException: DOCTYPE is disallowed when the
feature "http://apache.org/xml/features/disallow-doctype-decl"; set to true.
at
com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:257)
at
com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:339)
at
org.apache.commons.configuration2.XMLConfiguration.load(XMLConfiguration.java:1023)
... 33 common frames omitted
2019-05-30 14:59:20,529 ERROR [Timer-Driven Process Thread-9]
o.a.n.c.s.StandardControllerServiceNode Failed to invoke @OnEnabled method of
XMLFileLookupService[id=0abec592-016b-1000-192b-309d4b845a7b] due to
org.apache.nifi.reporting.InitializationException:
org.apache.commons.configuration2.ex.ConfigurationException: XML configuration
file contained an external entity. To prevent XXE vulnerabilities, NiFi has
external entity processing disabled.
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
![https://user-images.githubusercontent.com/798465/58670063-b6ad0680-82f2-11e9-81e2-6af11a8c85d5.png"](https://user-images.githubusercontent.com/798465/58670063-b6ad0680-82f2-11e9-81e2-6af11a8c85d5.png"){kind=link}