NIFI-9901 Add nifi-xml-processing to nifi-commons #5962
Conversation
exceptionfactory
force-pushed
the
NIFI-9901
branch
2 times, most recently
from
0c75c73
to
ae15880
Compare
- Refactored XML parsing to use providers from nifi-xml-processing - Configured spotbugs-maven-plugin with findsecbugs-plugin in nifi-xml-processing - Disabled Validate DTD in default configuration for EvaluateXPath and EvaluateXQuery - Replaced configuration of DocumentBuilder and streaming XML Readers with shared components - Removed XML utilities from nifi-security-utils - Moved Commons Configuration classes to nifi-lookup-services
exceptionfactory
force-pushed
the
NIFI-9901
branch
from
ae15880
to
5c323e1
Compare
| final DocumentBuilderFactory documentBuilderFactory = getDocumentBuilderFactory(); | ||
|
|
||
| try { | ||
| documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, ProcessingFeature.SECURE_PROCESSING.isEnabled()); |
There was a problem hiding this comment.
What is the benefit of defining the value here to be a lookup?
There was a problem hiding this comment.
The purpose of the ProcessingFeature.SECURE_PROCESSING reference was to define the property value in a central location that could be reused in multiple classes.
| try { | ||
| parseInputSource(inputSource, contentHandler); | ||
| } catch (final ParserConfigurationException|SAXException e) { | ||
| throw new ProcessingException("Parser Configuration failed", e); |
There was a problem hiding this comment.
This would encompass both the parser configuration and the parse operation.
Parser Configuration / Parse Operation failed
There was a problem hiding this comment.
That's a good point, will adjust to a more generalized Parsing failed message for the exception.
| @@ -427,8 +429,7 @@ private PoliciesUsersAndGroups parsePoliciesUsersAndGroups(final String fingerpr | |||
|
|
|||
| final byte[] fingerprintBytes = fingerprint.getBytes(StandardCharsets.UTF_8); | |||
| try (final ByteArrayInputStream in = new ByteArrayInputStream(fingerprintBytes)) { | |||
| final DocumentBuilder docBuilder = createSafeDocumentBuilder(); | |||
| final Document document = docBuilder.parse(in); | |||
| final Document document = parseFingerprint(in); | |||
There was a problem hiding this comment.
Why doesn't this usage use the new StandardDocumentProvider?
There was a problem hiding this comment.
Good question! This is only remaining location with a local reference to the DocumentBuilderFactory. PR #5514 for NIFI-9069 included the direct implementation, as opposed to XmlUtils due to issues with class loading between nifi-framework-api and dependent modules. It might be possible to revisit the problem, but this change maintains a limited scope for nifi-framework-api module dependencies.
| @@ -156,7 +152,7 @@ public class EvaluateXQuery extends AbstractProcessor { | |||
| .description("Specifies whether or not the XML content should be validated against the DTD.") | |||
| .required(true) | |||
| .allowableValues("true", "false") | |||
| .defaultValue("true") | |||
| .defaultValue("false") | |||
There was a problem hiding this comment.
Disabling Document Type Validation in the default configuration provides a more secure starting point for new instances of the Processor. The implementation in StandardDocumentProvider provides standard security restrictions on Document Type Validation, so enabling the Validate DTD property is not the optimal configuration. Changing the default value to false retains the property for deployments where embedded DTD validation is desired.
| * @param source Source to be validated | ||
| */ | ||
| @Override | ||
| public void validate(final Schema schema, final Source source) { |
There was a problem hiding this comment.
Do we only support the specification of a single schema when validating a document?
There was a problem hiding this comment.
Yes, the Schema object provides the newValidator() method, so this interface encapsulates that operation and sets standard properties on the Validator.
| @@ -162,10 +163,6 @@ public class EvaluateXPath extends AbstractProcessor { | |||
|
|
|||
| private final AtomicReference<XPathFactory> factoryRef = new AtomicReference<>(); | |||
|
|
|||
| static { | |||
| @@ -137,7 +138,7 @@ public class EvaluateXPath extends AbstractProcessor { | |||
| .description("Specifies whether or not the XML content should be validated against the DTD.") | |||
| .required(true) | |||
| .allowableValues("true", "false") | |||
| .defaultValue("true") | |||
There was a problem hiding this comment.
Is there a little context for this change?
There was a problem hiding this comment.
As mentioned for EvaluateXQuery, disabling validation of the Document Type Declaration in the default configuration provides a more secure starting point for new instances of the Processor.
|
Thanks for the initial feedback @greyp9! Will plan on updating the one exception message noted, as well as anything else, following additional feedback from testing. |
- Refactored XML parsing to use providers from nifi-xml-processing - Configured spotbugs-maven-plugin with findsecbugs-plugin in nifi-xml-processing - Disabled Validate DTD in default configuration for EvaluateXPath and EvaluateXQuery - Replaced configuration of DocumentBuilder and streaming XML Readers with shared components - Removed XML utilities from nifi-security-utils - Moved Commons Configuration classes to nifi-lookup-services This closes #5962 Signed-off-by: Paul Grey <greyp@apache.org>
- Refactored XML parsing to use providers from nifi-xml-processing - Configured spotbugs-maven-plugin with findsecbugs-plugin in nifi-xml-processing - Disabled Validate DTD in default configuration for EvaluateXPath and EvaluateXQuery - Replaced configuration of DocumentBuilder and streaming XML Readers with shared components - Removed XML utilities from nifi-security-utils - Moved Commons Configuration classes to nifi-lookup-services This closes apache#5962 Signed-off-by: Paul Grey <greyp@apache.org>
- Refactored XML parsing to use providers from nifi-xml-processing - Configured spotbugs-maven-plugin with findsecbugs-plugin in nifi-xml-processing - Disabled Validate DTD in default configuration for EvaluateXPath and EvaluateXQuery - Replaced configuration of DocumentBuilder and streaming XML Readers with shared components - Removed XML utilities from nifi-security-utils - Moved Commons Configuration classes to nifi-lookup-services This closes apache#5962 Signed-off-by: Paul Grey <greyp@apache.org>
Description of PR
NIFI-9901 Adds the
nifi-xml-processingmodule tonifi-commonsand refactors XML handling to use common components.Components in
nifi-xml-processingreplace the usage ofXmlUtilsinnifi-security-utilswith interfaces and implementation classes specific to each type of XML processing. The module includes the following interfaces derived from standard Java XML components:DocumentProviderfor DOM DocumentsInputSourceParserfor SAX ParsingXMLEventReaderProviderandXMLStreamReaderProviderfor StAX ParsingSchemaValidatorfor XML Schema ValidationThe
nifi-xml-processingMaven configuration includesspotbugs-maven-pluginwithfindsecbugs-pluginto analyze components for XML processing vulnerabilities during the build.General changes include refactoring references to
javax.xml.parsers.DocumentBuilderFactoryandjavax.xml.stream.XMLInputFactorythroughout the system to usenifi-xml-processingcomponents.Specific changes include updates to the
EvaluateXPathandEvaluateXQueryProcessors to disable Document Type Declaration Validation in the default configuration. Other adjustments include relocating Apache Commons Configuration 2 classes tonifi-lookup-services, which is the only reference to those components. This relocation allowsnifi-xml-processingto avoid any external dependencies.As a result of this refactoring,
nifi-security-utilsno longer contains any XML processing components, which allows some referencing modules to avoid unnecessary transitive dependencies.In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
For all changes:
Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
Has your PR been rebased against the latest commit within the target branch (typically
main)?Is your initial contribution a single, squashed commit? Additional commits in response to PR reviewer feedback should be made on this branch and pushed to allow change tracking. Do not
squashor use--forcewhen pushing to allow for clean monitoring of changes.For code changes:
mvn -Pcontrib-check clean installat the rootnififolder?LICENSEfile, including the mainLICENSEfile undernifi-assembly?NOTICEfile, including the mainNOTICEfile found undernifi-assembly?.displayNamein addition to .name (programmatic access) for each of the new properties?For documentation related changes:
Note:
Please ensure that once the PR is submitted, you check GitHub Actions CI for build issues and submit an update to your PR as soon as possible.