Package org.apache.nifi.lookup.configuration2

Class SafeXMLConfiguration

java.lang.Object
org.apache.commons.configuration2.event.BaseEventSource
org.apache.commons.configuration2.AbstractConfiguration
org.apache.commons.configuration2.AbstractHierarchicalConfiguration<org.apache.commons.configuration2.tree.ImmutableNode>
org.apache.commons.configuration2.BaseHierarchicalConfiguration
org.apache.commons.configuration2.XMLConfiguration
org.apache.nifi.lookup.configuration2.SafeXMLConfiguration
All Implemented Interfaces:
Cloneable, org.apache.commons.configuration2.Configuration, org.apache.commons.configuration2.event.EventSource, org.apache.commons.configuration2.FileBasedConfiguration, org.apache.commons.configuration2.HierarchicalConfiguration<org.apache.commons.configuration2.tree.ImmutableNode>, org.apache.commons.configuration2.ImmutableConfiguration, org.apache.commons.configuration2.ImmutableHierarchicalConfiguration, org.apache.commons.configuration2.io.FileBased, org.apache.commons.configuration2.io.FileLocatorAware, org.apache.commons.configuration2.io.InputStreamSupport, org.apache.commons.configuration2.sync.SynchronizerSupport, org.apache.commons.configuration2.tree.InMemoryNodeModelSupport, org.apache.commons.configuration2.tree.NodeKeyResolver<org.apache.commons.configuration2.tree.ImmutableNode>, org.apache.commons.configuration2.tree.NodeModelSupport<org.apache.commons.configuration2.tree.ImmutableNode>
public class SafeXMLConfiguration extends org.apache.commons.configuration2.XMLConfiguration
For security reasons, this class overrides the Apache commons 'XMLConfiguration' class to disable processing of XML external entity (XXE) declarations. This class should be used in all cases where an XML configuration file will be used by NiFi. It is currently used by the XMLFileLookupService.

  • Nested Class Summary

    Nested Classes
    Modifier and Type
    Class
    Description
    (package private) static interface 
    SafeXMLConfiguration.XMLReader
     

    Nested classes/interfaces inherited from class org.apache.commons.configuration2.BaseHierarchicalConfiguration

    org.apache.commons.configuration2.BaseHierarchicalConfiguration.BuilderVisitor

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    private static final String
    ALLOW_EXTERNAL_DTD
     
    private static final String
    ALLOW_EXTERNAL_GENERAL_ENTITIES
     
    private static final String
    ALLOW_EXTERNAL_PARAM_ENTITIES
     
    private static final String
    DISALLOW_DOCTYPES
     
    private static final String
    JAXP_SCHEMA_LANGUAGE
     
    private static final String
    W3C_XML_SCHEMA
     
    private static final String
    XXE_ERROR_MESSAGE
     

  • Constructor Summary

    Constructors
    Constructor
    Description
    SafeXMLConfiguration()
     
    SafeXMLConfiguration(org.apache.commons.configuration2.HierarchicalConfiguration<org.apache.commons.configuration2.tree.ImmutableNode> c)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    DocumentBuilder
    createDocumentBuilder()
    This overridden createDocumentBuilder() method sets the appropriate factory attributes to disable XXE parsing.
    private void
    delegateRead(SafeXMLConfiguration.XMLReader superRead)
     
    void
    initFileLocator(org.apache.commons.configuration2.io.FileLocator loc)
     
    private boolean
    isXXERelatedException(org.apache.commons.configuration2.ex.ConfigurationException e)
    Determine if the ConfigurationException was thrown because the XML configuration file contains an external entity (XXE).
    void
    read(InputStream in)
     
    void
    read(Reader in)
     

    Methods inherited from class org.apache.commons.configuration2.XMLConfiguration

    createTransformer, getDocument, getDocumentBuilder, getEntityResolver, getPublicID, getRootElementNameInternal, getSystemID, isSchemaValidation, isValidating, setDocumentBuilder, setEntityResolver, setPublicID, setRootElementName, setSchemaValidation, setSystemID, setValidating, validate, write, write

    Methods inherited from class org.apache.commons.configuration2.BaseHierarchicalConfiguration

    childConfigurationsAt, childConfigurationsAt, cloneNodeModel, configurationAt, configurationAt, configurationsAt, configurationsAt, createSubConfigurationForTrackedNode, getNodeModel, getSubConfigurationNodeSelector, getSubConfigurationParentModel, immutableChildConfigurationsAt, immutableConfigurationAt, immutableConfigurationAt, immutableConfigurationsAt, initSubConfigurationForThisParent, interpolatedConfiguration, subnodeConfigurationChanged, subset

    Methods inherited from class org.apache.commons.configuration2.AbstractHierarchicalConfiguration

    addNodes, addNodesInternal, addPropertyDirect, addPropertyInternal, clearInternal, clearPropertyDirect, clearTree, clearTreeInternal, clone, containsKeyInternal, containsValueInternal, fetchNodeList, getExpressionEngine, getKeysInternal, getKeysInternal, getMaxIndex, getMaxIndexInternal, getModel, getPropertyInternal, getRootElementName, isEmptyInternal, nodeDefined, nodeKey, resolveAddKey, resolveKey, resolveNodeKey, resolveUpdateKey, setExpressionEngine, setPropertyInternal, sizeInternal, toString

    Methods inherited from class org.apache.commons.configuration2.AbstractConfiguration

    addErrorLogListener, addProperty, append, beginRead, beginWrite, clear, clearProperty, cloneInterpolator, contains, containsKey, containsValue, copy, endRead, endWrite, get, get, getArray, getArray, getBigDecimal, getBigDecimal, getBigInteger, getBigInteger, getBoolean, getBoolean, getBoolean, getByte, getByte, getByte, getCollection, getCollection, getConfigurationDecoder, getConversionHandler, getDouble, getDouble, getDouble, getDuration, getDuration, getEncodedString, getEncodedString, getFloat, getFloat, getFloat, getInt, getInt, getInteger, getInterpolator, getKeys, getKeys, getKeys, getKeysInternal, getList, getList, getList, getList, getListDelimiterHandler, getLogger, getLong, getLong, getLong, getProperties, getProperties, getProperty, getShort, getShort, getShort, getString, getString, getStringArray, getSynchronizer, immutableSubset, initLogger, installInterpolator, interpolate, interpolate, isEmpty, isScalarValue, isThrowExceptionOnMissing, lock, setConfigurationDecoder, setConversionHandler, setDefaultLookups, setInterpolator, setListDelimiterHandler, setLogger, setParentInterpolator, setPrefixLookups, setProperty, setSynchronizer, setThrowExceptionOnMissing, size, unlock

    Methods inherited from class org.apache.commons.configuration2.event.BaseEventSource

    addEventListener, clearErrorListeners, clearEventListeners, copyEventListeners, createErrorEvent, createEvent, fireError, fireEvent, getEventListenerRegistrations, getEventListeners, isDetailEvents, removeEventListener, setDetailEvents

    Methods inherited from class java.lang.Object

    equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

    Methods inherited from interface org.apache.commons.configuration2.Configuration

    addProperty, clear, clearProperty, getInterpolator, installInterpolator, setInterpolator, setProperty, subset

    Methods inherited from interface org.apache.commons.configuration2.ImmutableConfiguration

    containsKey, containsValue, get, get, getArray, getArray, getBigDecimal, getBigDecimal, getBigInteger, getBigInteger, getBoolean, getBoolean, getBoolean, getByte, getByte, getByte, getCollection, getCollection, getDouble, getDouble, getDouble, getDuration, getDuration, getEncodedString, getEncodedString, getEnum, getEnum, getFloat, getFloat, getFloat, getInt, getInt, getInteger, getKeys, getKeys, getKeys, getList, getList, getList, getList, getLong, getLong, getLong, getProperties, getProperty, getShort, getShort, getShort, getString, getString, getStringArray, immutableSubset, isEmpty, size

    Methods inherited from interface org.apache.commons.configuration2.sync.SynchronizerSupport

    getSynchronizer, lock, setSynchronizer, unlock

  • Field Details

  • Constructor Details

    • SafeXMLConfiguration

      public SafeXMLConfiguration()

    • SafeXMLConfiguration

      public SafeXMLConfiguration(org.apache.commons.configuration2.HierarchicalConfiguration<org.apache.commons.configuration2.tree.ImmutableNode> c)

  • Method Details

    • initFileLocator

      public void initFileLocator(org.apache.commons.configuration2.io.FileLocator loc)
      Specified by:
      initFileLocator in interface org.apache.commons.configuration2.io.FileLocatorAware
      Overrides:
      initFileLocator in class org.apache.commons.configuration2.XMLConfiguration

    • createDocumentBuilder

      public DocumentBuilder createDocumentBuilder() throws ParserConfigurationException
      This overridden createDocumentBuilder() method sets the appropriate factory attributes to disable XXE parsing.
      Overrides:
      createDocumentBuilder in class org.apache.commons.configuration2.XMLConfiguration
      Returns:
      Returns a safe DocumentBuilder
      Throws:
      ParserConfigurationException - A configuration error

    • read

      public void read(Reader in) throws org.apache.commons.configuration2.ex.ConfigurationException, IOException
      Specified by:
      read in interface org.apache.commons.configuration2.io.FileBased
      Overrides:
      read in class org.apache.commons.configuration2.XMLConfiguration
      Throws:
      org.apache.commons.configuration2.ex.ConfigurationException
      IOException

    • read

      public void read(InputStream in) throws org.apache.commons.configuration2.ex.ConfigurationException, IOException
      Specified by:
      read in interface org.apache.commons.configuration2.io.InputStreamSupport
      Overrides:
      read in class org.apache.commons.configuration2.XMLConfiguration
      Throws:
      org.apache.commons.configuration2.ex.ConfigurationException
      IOException

    • delegateRead

      private void delegateRead(SafeXMLConfiguration.XMLReader superRead) throws org.apache.commons.configuration2.ex.ConfigurationException, IOException
      Throws:
      org.apache.commons.configuration2.ex.ConfigurationException
      IOException

    • isXXERelatedException

      private boolean isXXERelatedException(org.apache.commons.configuration2.ex.ConfigurationException e)
      Determine if the ConfigurationException was thrown because the XML configuration file contains an external entity (XXE).
      Parameters:
      e - A ConfigurationException that was thrown when parsing the XML configuration file.
      Returns:
      true if the ConfigurationException was a result of attempting to parse an external entity (which is not allowed for security reasons). Returns false otherwise.