com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links' is unknown.

XML Threat Protection for API Gateway

Owned by Former user (Deleted)
Last updated: Jun 20, 2018Version comment
4 min read

The XML threat protector in WSO2 API Manager validates the XML payload vulnerabilities based on the pre-configured limits. It uses following methodologies to thwart the gateway from XML based attacks.

Detecting the malformed, vulnerable XML messages through limitations 

The xml_validator sequence specifies the properties to be limited in the payload. A sample xml_validator sequence is given below.

<sequence xmlns="http://ws.apache.org/ns/synapse" name="xml_validator">
    <log level="custom">
        <property name="IN_MESSAGE" value="xml_validator"/>
    </log>
    <property name="xmlValidation" value="true"/>
    <property name="dtdEnabled" value="false"/>
    <property name="externalEntitiesEnabled" value="true"/>
    <property name="maxXMLDepth" value="100"/>
    <property name="maxElementCount" value="100"/>
    <property name="maxAttributeCount" value="100"/>
    <property name="maxAttributeLength" value="100"/>
    <property name="entityExpansionLimit" value="100"/>
    <property name="maxChildrenPerElement" value="100"/>
    <property name="schemaValidation" value="true"/>
    <switch source="get-property('To')">
        <case regex=".*/addResource.*">
            <property name="xsdURL" value="<Insert the XSD URL>"/>
        </case>
        <!--<case regex=".*/update.*">-->
            <!--<property name="xsdURL" value="<insert XSD_URL>"/>-->
        <!--</case>-->
        <!--<case regex=".*/delete.*">-->
            <!--<property name="xsdURL" value="<insert XSD_URL>d"/>-->
        <!--</case>-->
    </switch>
    <property name="RequestMessageBufferSize" value="1024"/>
    <class name="org.wso2.carbon.apimgt.gateway.mediators.XMLSchemaValidator"/>
</sequence>

Users can enable or disable XML payload limits and schema validation. Some examples are shown below.


XML payload validation properties

  • Disable the DTD payload in the XML properties to avoid attacks

  • You can turn on/off external entities of the payload. An example is given below with the elements of the XML request body, that can be configured .

    PropertyDefault ValueDescription
    dtdEnabled
    		false

    The DTD can be enabled/disabled according to your requirement.

    externalEntitiesEnabledtrue
    maxXMLDepth
    		100Maximum depth of the XML request message.
    maxElementCount
    		100Maximum number of allowed elements in the XML request message.
    maxAttributeCount
    		100Maximum count of allowed attributes in the XML request message.
    maxAttributeLength
    		100Maximum allowed length of each attribute value in characters.
    entityExpansionLimit
    		100Maximum allowed entity expansion limit of the XML request message.
    maxChildrenPerElement
    		100Maximum number of child elements allowed in the XML request message.

XML schema validation 

You can define XML schemas per resource to validate each request. For example, to add an XML schema to the resource /userapi/1.0.0/addResource/value follow the steps below.

  1. Define the resource in the case regex
  2. Define the relevant schema URL and add it as shown below.
  3. You can define the buffer size of the request message depending on your requirement. An example is given below.

Each request is sanitized through the XML threat protector. API developer can modify each properties according to your requirement.

Editing the sequence through registry artifacts

To edit the existing sequence follow the steps below.

  1. Log in to the Management Console.
  2. Navigate to /_system/governance/apimgt/customsequences/in/xml_validator.xml
  3. Edit the xml_validator.xml file.
  4. Go to the API Publisher and re-publish your API for the changes to take effect.

Applying the XML validator policy

You can apply the pre-defined XML Policy through the UI. Follow the instructions below to apply the xml_validator in sequence.

  • Create an API or edit an existing API.

  • Go to Message Mediation Policies under the Implement tab.

  • Select Enable Message Mediation. Select xml_validator from the drop-down menu for In Flow.

  • Click Save and Publish to save the changes.

Testing the XML threat protector

You can edit the sequence to set the property values according to your requirements. A sample request and response for the value of the properties set to 30 is given below. Note that the .xsd URL for the relevant resource has been hosted. 



Testing the schema validation

A sample request and response to test the schema validation is given below.


Performance impact

The XML mediator builds the message at the mediator level. This impacts the performance of 10KB messages for 300 concurrent users by 5.6 times than the normal flow. The performance may slow down along with the message size.

com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links2' is unknown.