alopresto commented on issue #3507: NIFI-6301 - Added a SafeXMLConfiguration which disables XML DTDs whic… URL: https://github.com/apache/nifi/pull/3507#issuecomment-500666527 Continuing to investigate. Not sure which timer/thread is triggering the validation, but you can see from the log it continues with cached data even after the controller service is deleted. ``` 2019-06-10 19:47:23,833 INFO [main] org.apache.nifi.NiFi Controller initialization took 16163440198 nanoseconds (16 seconds). 2019-06-10 19:47:57,672 INFO [NiFi Web Server-22] o.a.nifi.controller.ExtensionBuilder Created Controller Service of type org.apache.nifi.lookup.XMLFileLookupService with identifier 446f5dd4-016b-1000-32cc-80a04680722c 2019-06-10 19:47:57,985 INFO [Flow Service Tasks Thread-2] o.a.nifi.controller.StandardFlowService Saved flow controller org.apache.nifi.controller.FlowController@53e44c8 // Another save pending = false 2019-06-10 19:48:18,618 INFO [Validate Components Thread-4] o.apache.nifi.security.xml.XXEValidator Validating /Users/alopresto/Workspace/nifi/nifi-commons/nifi-security-utils/src/test/resources/local_xxe_file.xml for XXE attack 2019-06-10 19:48:18,618 WARN [Validate Components Thread-4] o.apache.nifi.security.xml.XXEValidator Detected XXE attack in /Users/alopresto/Workspace/nifi/nifi-commons/nifi-security-utils/src/test/resources/local_xxe_file.xml 2019-06-10 19:48:18,630 INFO [Flow Service Tasks Thread-1] o.a.nifi.controller.StandardFlowService Saved flow controller org.apache.nifi.controller.FlowController@53e44c8 // Another save pending = false 2019-06-10 19:48:21,426 INFO [Validate Components Thread-2] o.apache.nifi.security.xml.XXEValidator Validating /Users/alopresto/Workspace/nifi/nifi-commons/nifi-security-utils/src/test/resources/local_xxe_file.xml for XXE attack 2019-06-10 19:48:21,427 WARN [Validate Components Thread-2] o.apache.nifi.security.xml.XXEValidator Detected XXE attack in /Users/alopresto/Workspace/nifi/nifi-commons/nifi-security-utils/src/test/resources/local_xxe_file.xml 2019-06-10 19:48:26,432 INFO [Validate Components Thread-2] o.apache.nifi.security.xml.XXEValidator Validating /Users/alopresto/Workspace/nifi/nifi-commons/nifi-security-utils/src/test/resources/local_xxe_file.xml for XXE attack 2019-06-10 19:48:26,432 WARN [Validate Components Thread-2] o.apache.nifi.security.xml.XXEValidator Detected XXE attack in /Users/alopresto/Workspace/nifi/nifi-commons/nifi-security-utils/src/test/resources/local_xxe_file.xml 2019-06-10 19:48:31,435 INFO [Validate Components Thread-2] o.apache.nifi.security.xml.XXEValidator Validating /Users/alopresto/Workspace/nifi/nifi-commons/nifi-security-utils/src/test/resources/local_xxe_file.xml for XXE attack 2019-06-10 19:48:31,435 WARN [Validate Components Thread-2] o.apache.nifi.security.xml.XXEValidator Detected XXE attack in /Users/alopresto/Workspace/nifi/nifi-commons/nifi-security-utils/src/test/resources/local_xxe_file.xml 2019-06-10 19:48:36,439 INFO [Validate Components Thread-2] o.apache.nifi.security.xml.XXEValidator Validating /Users/alopresto/Workspace/nifi/nifi-commons/nifi-security-utils/src/test/resources/local_xxe_file.xml for XXE attack 2019-06-10 19:48:36,439 WARN [Validate Components Thread-2] o.apache.nifi.security.xml.XXEValidator Detected XXE attack in /Users/alopresto/Workspace/nifi/nifi-commons/nifi-security-utils/src/test/resources/local_xxe_file.xml 2019-06-10 19:48:41,444 INFO [Validate Components Thread-2] o.apache.nifi.security.xml.XXEValidator Validating /Users/alopresto/Workspace/nifi/nifi-commons/nifi-security-utils/src/test/resources/local_xxe_file.xml for XXE attack 2019-06-10 19:48:41,444 WARN [Validate Components Thread-2] o.apache.nifi.security.xml.XXEValidator Detected XXE attack in /Users/alopresto/Workspace/nifi/nifi-commons/nifi-security-utils/src/test/resources/local_xxe_file.xml 2019-06-10 19:48:46,450 INFO [Validate Components Thread-2] o.apache.nifi.security.xml.XXEValidator Validating /Users/alopresto/Workspace/nifi/nifi-commons/nifi-security-utils/src/test/resources/local_xxe_file.xml for XXE attack 2019-06-10 19:48:46,450 WARN [Validate Components Thread-2] o.apache.nifi.security.xml.XXEValidator Detected XXE attack in /Users/alopresto/Workspace/nifi/nifi-commons/nifi-security-utils/src/test/resources/local_xxe_file.xml 2019-06-10 19:48:51,454 INFO [Validate Components Thread-2] o.apache.nifi.security.xml.XXEValidator Validating /Users/alopresto/Workspace/nifi/nifi-commons/nifi-security-utils/src/test/resources/local_xxe_file.xml for XXE attack 2019-06-10 19:48:51,454 WARN [Validate Components Thread-2] o.apache.nifi.security.xml.XXEValidator Detected XXE attack in /Users/alopresto/Workspace/nifi/nifi-commons/nifi-security-utils/src/test/resources/local_xxe_file.xml 2019-06-10 19:48:52,528 INFO [NiFi Web Server-19] o.a.n.c.flow.StandardFlowManager StandardControllerServiceNode{controllerServiceHolder=org.apache.nifi:nifi-lookup-services-nar:1.10.0-SNAPSHOT, versionedComponentId=null, comment='', processGroup=null, active=false} removed from Flow Controller 2019-06-10 19:48:52,843 INFO [Flow Service Tasks Thread-2] o.a.nifi.controller.StandardFlowService Saved flow controller org.apache.nifi.controller.FlowController@53e44c8 // Another save pending = false 2019-06-10 19:48:56,460 INFO [Validate Components Thread-2] o.apache.nifi.security.xml.XXEValidator Validating /Users/alopresto/Workspace/nifi/nifi-commons/nifi-security-utils/src/test/resources/local_xxe_file.xml for XXE attack 2019-06-10 19:48:56,460 WARN [Validate Components Thread-2] o.apache.nifi.security.xml.XXEValidator Detected XXE attack in /Users/alopresto/Workspace/nifi/nifi-commons/nifi-security-utils/src/test/resources/local_xxe_file.xml 2019-06-10 19:49:01,463 INFO [Validate Components Thread-2] o.apache.nifi.security.xml.XXEValidator Validating /Users/alopresto/Workspace/nifi/nifi-commons/nifi-security-utils/src/test/resources/local_xxe_file.xml for XXE attack 2019-06-10 19:49:01,464 WARN [Validate Components Thread-2] o.apache.nifi.security.xml.XXEValidator Detected XXE attack in /Users/alopresto/Workspace/nifi/nifi-commons/nifi-security-utils/src/test/resources/local_xxe_file.xml ```
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
