Apache
/
nifi
mirror of https://github.com/apache/nifi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

NIFI-8274 - add EL consideration in XXEValidator 

Signed-off-by: Matthew Burgess <mattyb149@apache.org>

This closes #4859
This commit is contained in:
Pierre Villard 2021-03-01 22:51:41 +04:00 committed by Matthew Burgess
parent bbd37b8db7
commit ea8727a278
No known key found for this signature in database
GPG Key ID: 05D3DEB8126DAD24
2 changed files with 33 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/xml/XXEValidator.java
View File

@ -43,6 +43,10 @@ public class XXEValidator implements Validator {
String line;
boolean containsXXE = false;
if (validationContext.isExpressionLanguageSupported(subject) && validationContext.isExpressionLanguagePresent(input)) {
return new ValidationResult.Builder().subject(subject).input(input).explanation("Expression Language Present").valid(true).build();
}
final String xmlFilePathString = xmlFilePath.toString();
logger.info("Validating {} for XXE attack", xmlFilePathString);

29
nifi-nar-bundles/nifi-standard-services/nifi-lookup-services-bundle/nifi-lookup-services/src/test/java/org/apache/nifi/lookup/TestPropertiesFileLookupService.java
View File

@ -60,4 +60,33 @@ public class TestPropertiesFileLookupService {
assertEquals(EMPTY_STRING, property3);
}
@Test
public void testPropertiesFileLookupServiceVariable() throws InitializationException, LookupFailureException {
final TestRunner runner = TestRunners.newTestRunner(TestProcessor.class);
final PropertiesFileLookupService service = new PropertiesFileLookupService();
runner.setVariable("myFile", "src/test/resources/test.properties");
runner.addControllerService("properties-file-lookup-service", service);
runner.setProperty(service, PropertiesFileLookupService.CONFIGURATION_FILE, "${myFile}");
runner.enableControllerService(service);
runner.assertValid(service);
final PropertiesFileLookupService lookupService =
(PropertiesFileLookupService) runner.getProcessContext()
.getControllerServiceLookup()
.getControllerService("properties-file-lookup-service");
assertThat(lookupService, instanceOf(LookupService.class));
final Optional<String> property1 = lookupService.lookup(Collections.singletonMap("key", "property.1"));
assertEquals(Optional.of("this is property 1"), property1);
final Optional<String> property2 = lookupService.lookup(Collections.singletonMap("key", "property.2"));
assertEquals(Optional.of("this is property 2"), property2);
final Optional<String> property3 = lookupService.lookup(Collections.singletonMap("key", "property.3"));
assertEquals(EMPTY_STRING, property3);
}
}