org.apache.nifi.security.xml

Class SafeXMLConfiguration

java.lang.Object

org.apache.commons.configuration2.event.BaseEventSource

org.apache.commons.configuration2.AbstractConfiguration

org.apache.commons.configuration2.AbstractHierarchicalConfiguration<org.apache.commons.configuration2.tree.ImmutableNode>

org.apache.commons.configuration2.BaseHierarchicalConfiguration

org.apache.commons.configuration2.XMLConfiguration

org.apache.nifi.security.xml.SafeXMLConfiguration

All Implemented Interfaces:

Cloneable, org.apache.commons.configuration2.Configuration, org.apache.commons.configuration2.event.EventSource, org.apache.commons.configuration2.FileBasedConfiguration, org.apache.commons.configuration2.HierarchicalConfiguration<org.apache.commons.configuration2.tree.ImmutableNode>, org.apache.commons.configuration2.ImmutableConfiguration, org.apache.commons.configuration2.ImmutableHierarchicalConfiguration, org.apache.commons.configuration2.io.FileBased, org.apache.commons.configuration2.io.FileLocatorAware, org.apache.commons.configuration2.io.InputStreamSupport, org.apache.commons.configuration2.sync.SynchronizerSupport, org.apache.commons.configuration2.tree.InMemoryNodeModelSupport, org.apache.commons.configuration2.tree.NodeKeyResolver<org.apache.commons.configuration2.tree.ImmutableNode>, org.apache.commons.configuration2.tree.NodeModelSupport<org.apache.commons.configuration2.tree.ImmutableNode>

public class SafeXMLConfiguration
extends org.apache.commons.configuration2.XMLConfiguration

For security reasons, this class overrides the Apache commons 'XMLConfiguration' class to disable processing of XML external entity (XXE) declarations. This class should be used in all cases where an XML configuration file will be used by NiFi. It is currently used by the XMLFileLookupService.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
(package private) static interface	SafeXMLConfiguration.XMLReader

Nested classes/interfaces inherited from class org.apache.commons.configuration2.BaseHierarchicalConfiguration

org.apache.commons.configuration2.BaseHierarchicalConfiguration.BuilderVisitor

Field Summary

Fields

Modifier and Type	Field and Description
private static String	ALLOW_EXTERNAL_DTD
private static String	ALLOW_EXTERNAL_GENERAL_ENTITIES
private static String	ALLOW_EXTERNAL_PARAM_ENTITIES
private static String	DISALLOW_DOCTYPES
private static String	JAXP_SCHEMA_LANGUAGE
private static String	W3C_XML_SCHEMA
private static String	XXE_ERROR_MESSAGE

Constructor Summary

Constructors

Constructor and Description
SafeXMLConfiguration()
SafeXMLConfiguration(org.apache.commons.configuration2.HierarchicalConfiguration<org.apache.commons.configuration2.tree.ImmutableNode> c)

Method Summary

Modifier and Type	Method and Description
DocumentBuilder	createDocumentBuilder() This overridden createDocumentBuilder() method sets the appropriate factory attributes to disable XXE parsing.
private void	delegateRead(SafeXMLConfiguration.XMLReader superRead)
void	initFileLocator(org.apache.commons.configuration2.io.FileLocator loc)
private boolean	isXXERelatedException(org.apache.commons.configuration2.ex.ConfigurationException e) Determine if the ConfigurationException was thrown because the XML configuration file contains an external entity (XXE).
void	read(InputStream in)
void	read(Reader in)

Methods inherited from class org.apache.commons.configuration2.XMLConfiguration

createTransformer, getDocument, getDocumentBuilder, getEntityResolver, getPublicID, getRootElementNameInternal, getSystemID, isSchemaValidation, isValidating, setDocumentBuilder, setEntityResolver, setPublicID, setRootElementName, setSchemaValidation, setSystemID, setValidating, validate, write, write

Methods inherited from class org.apache.commons.configuration2.BaseHierarchicalConfiguration

childConfigurationsAt, childConfigurationsAt, cloneNodeModel, configurationAt, configurationAt, configurationsAt, configurationsAt, createSubConfigurationForTrackedNode, getNodeModel, getSubConfigurationNodeSelector, getSubConfigurationParentModel, immutableChildConfigurationsAt, immutableConfigurationAt, immutableConfigurationAt, immutableConfigurationsAt, initSubConfigurationForThisParent, interpolatedConfiguration, subnodeConfigurationChanged, subset

Methods inherited from class org.apache.commons.configuration2.AbstractHierarchicalConfiguration

addNodes, addNodesInternal, addPropertyDirect, addPropertyInternal, clearInternal, clearPropertyDirect, clearTree, clearTreeInternal, clone, containsKeyInternal, fetchNodeList, getExpressionEngine, getKeysInternal, getKeysInternal, getMaxIndex, getMaxIndexInternal, getModel, getPropertyInternal, getRootElementName, isEmptyInternal, nodeDefined, nodeKey, resolveAddKey, resolveKey, resolveNodeKey, resolveUpdateKey, setExpressionEngine, setPropertyInternal, sizeInternal, toString

Methods inherited from class org.apache.commons.configuration2.AbstractConfiguration

addErrorLogListener, addProperty, append, beginRead, beginWrite, clear, clearProperty, cloneInterpolator, containsKey, copy, endRead, endWrite, get, get, getArray, getArray, getBigDecimal, getBigDecimal, getBigInteger, getBigInteger, getBoolean, getBoolean, getBoolean, getByte, getByte, getByte, getCollection, getCollection, getConfigurationDecoder, getConversionHandler, getDouble, getDouble, getDouble, getEncodedString, getEncodedString, getFloat, getFloat, getFloat, getInt, getInt, getInteger, getInterpolator, getKeys, getKeys, getList, getList, getList, getList, getListDelimiterHandler, getLogger, getLong, getLong, getLong, getProperties, getProperties, getProperty, getShort, getShort, getShort, getString, getString, getStringArray, getSynchronizer, immutableSubset, initLogger, installInterpolator, interpolate, interpolate, isEmpty, isScalarValue, isThrowExceptionOnMissing, lock, setConfigurationDecoder, setConversionHandler, setDefaultLookups, setInterpolator, setListDelimiterHandler, setLogger, setParentInterpolator, setPrefixLookups, setProperty, setSynchronizer, setThrowExceptionOnMissing, size, unlock

Methods inherited from class org.apache.commons.configuration2.event.BaseEventSource

addEventListener, clearErrorListeners, clearEventListeners, copyEventListeners, createErrorEvent, createEvent, fireError, fireEvent, getEventListenerRegistrations, getEventListeners, isDetailEvents, removeEventListener, setDetailEvents

Methods inherited from class java.lang.Object

equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface org.apache.commons.configuration2.Configuration

addProperty, clear, clearProperty, getInterpolator, installInterpolator, setInterpolator, setProperty, subset

Methods inherited from interface org.apache.commons.configuration2.ImmutableConfiguration

containsKey, get, get, getArray, getArray, getBigDecimal, getBigDecimal, getBigInteger, getBigInteger, getBoolean, getBoolean, getBoolean, getByte, getByte, getByte, getCollection, getCollection, getDouble, getDouble, getDouble, getEncodedString, getEncodedString, getFloat, getFloat, getFloat, getInt, getInt, getInteger, getKeys, getKeys, getList, getList, getList, getList, getLong, getLong, getLong, getProperties, getProperty, getShort, getShort, getShort, getString, getString, getStringArray, immutableSubset, isEmpty, size

Methods inherited from interface org.apache.commons.configuration2.sync.SynchronizerSupport

getSynchronizer, lock, setSynchronizer, unlock

Field Detail

JAXP_SCHEMA_LANGUAGE

private static final String JAXP_SCHEMA_LANGUAGE

See Also:

Constant Field Values

W3C_XML_SCHEMA

private static final String W3C_XML_SCHEMA

See Also:

Constant Field Values

DISALLOW_DOCTYPES

private static final String DISALLOW_DOCTYPES

See Also:

Constant Field Values

ALLOW_EXTERNAL_GENERAL_ENTITIES

private static final String ALLOW_EXTERNAL_GENERAL_ENTITIES

See Also:

Constant Field Values

ALLOW_EXTERNAL_PARAM_ENTITIES

private static final String ALLOW_EXTERNAL_PARAM_ENTITIES

See Also:

Constant Field Values

ALLOW_EXTERNAL_DTD

private static final String ALLOW_EXTERNAL_DTD

See Also:

Constant Field Values

XXE_ERROR_MESSAGE

private static final String XXE_ERROR_MESSAGE

See Also:

Constant Field Values

Constructor Detail

SafeXMLConfiguration

public SafeXMLConfiguration()

SafeXMLConfiguration

public SafeXMLConfiguration(org.apache.commons.configuration2.HierarchicalConfiguration<org.apache.commons.configuration2.tree.ImmutableNode> c)

Method Detail

initFileLocator

public void initFileLocator(org.apache.commons.configuration2.io.FileLocator loc)

Specified by:

initFileLocator in interface org.apache.commons.configuration2.io.FileLocatorAware

Overrides:

initFileLocator in class org.apache.commons.configuration2.XMLConfiguration

createDocumentBuilder

public DocumentBuilder createDocumentBuilder()
                                      throws ParserConfigurationException

This overridden createDocumentBuilder() method sets the appropriate factory attributes to disable XXE parsing.

Overrides:

createDocumentBuilder in class org.apache.commons.configuration2.XMLConfiguration

Returns:

Returns a safe DocumentBuilder

Throws:

ParserConfigurationException - A configuration error

read

public void read(Reader in)
          throws org.apache.commons.configuration2.ex.ConfigurationException,
                 IOException

Specified by:

read in interface org.apache.commons.configuration2.io.FileBased

Overrides:

read in class org.apache.commons.configuration2.XMLConfiguration

Throws:

org.apache.commons.configuration2.ex.ConfigurationException

IOException

read

public void read(InputStream in)
          throws org.apache.commons.configuration2.ex.ConfigurationException,
                 IOException

Specified by:

read in interface org.apache.commons.configuration2.io.InputStreamSupport

Overrides:

read in class org.apache.commons.configuration2.XMLConfiguration

Throws:

org.apache.commons.configuration2.ex.ConfigurationException

IOException

delegateRead

private void delegateRead(SafeXMLConfiguration.XMLReader superRead)
                   throws org.apache.commons.configuration2.ex.ConfigurationException,
                          IOException

Throws:

org.apache.commons.configuration2.ex.ConfigurationException

IOException

isXXERelatedException

private boolean isXXERelatedException(org.apache.commons.configuration2.ex.ConfigurationException e)

Determine if the ConfigurationException was thrown because the XML configuration file contains an external entity (XXE).

Parameters:

e - A ConfigurationException that was thrown when parsing the XML configuration file.

Returns:

true if the ConfigurationException was a result of attempting to parse an external entity (which is not allowed for security reasons). Returns false otherwise.