thenatog commented on a change in pull request #3507: NIFI-6301 - Added a
SafeXMLConfiguration which disables XML DTDs whic…
URL: https://github.com/apache/nifi/pull/3507#discussion_r289492067
##########
File path:
nifi-nar-bundles/nifi-standard-services/nifi-lookup-services-bundle/nifi-lookup-services/src/test/java/org/apache/nifi/lookup/TestXMLFileLookupService.java
##########
@@ -63,4 +63,23 @@ public void testXMLFileLookupService() throws
InitializationException, LookupFai
assertEquals(EMPTY_STRING, property4);
}
+ @Test
+ public void testXXEProtection() throws InitializationException {
+
+ // Arrange
+ final TestRunner runner =
TestRunners.newTestRunner(TestProcessor.class);
+ final XMLFileLookupService service = new XMLFileLookupService();
+ runner.addControllerService("xml-file-lookup-service", service);
+ runner.setProperty(service, XMLFileLookupService.CONFIGURATION_FILE,
"src/test/resources/test-xxe.xml");
+
+ try {
+ // Act
+ // Service will fail to enable because test-xxe.xml contains a DTD
Review comment:
It may be better to implement this check as a validator instead. I'll add an
XMLValidator which checks for XXEs.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
