Github user yuri1969 commented on the issue:
https://github.com/apache/nifi/pull/1946
The `transformXml` uses Saxon HE implementation of a XSLT Processor. So
Saxon implements the features.
- `FEATURE_SECURE_PROCESSING` is XSLT Processor feature that restricts XSLT
functionality like `system-property()` to access Java system properties, using
relative URIs in `xsl:result-document`, etc. So it should mitigate some threats
coming from using non-trusted XSLTs.
- both `http://xml.org/sax/features/external` are XML Parser features that
restrict using `<!ENTITY` of `<!DOCTYPE` in a XML file. An attacker can use
entities to obtain access to your FS.
For example a malicious non-trusted input XML:
```
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
```
Then a XSLT output containing element `foo` leaks content of your
/etc/passwd file.
- Billion laughs/LOL bomb/Entity expansion DoS is trully secured by JRE
default as you showed. So no need for a feature here.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
