[XSDLookUp] Updated entity resolver to not fallback to network lookup when xsd is not found

[sync-by-unito]

https://github.com/liquibase/liquibase/pull/2558

┆Issue is synchronized with this Jira Story by Unito

[sync-by-unito]

➤ karen.a.taggart commented:

question from Adrian Velonis

Hi Karen, can you clarify what docs needs to do for this ticket "[XSDLookUp] Updated entity resolver to not fallback to network lookup when xsd is not found"?
https://datical.atlassian.net/browse/PD-2497 ( https://datical.atlassian.net/browse/PD-2497|smart-link )
Do I just have to update the header of our XML changelogs to this?

[sync-by-unito]

➤ karen.a.taggart commented:

Nathan Voxland can you take a look at this and help out Adrian Velonis ? I have to admit I am not following how the PR changed the end user experience and how that should be reflected in the user docs.

Feel free of course to just submit a docs PR with your draft. If you do that, please just let me know and I will close this ticket.

Thanks!

KT

[sync-by-unito]

➤ Nathan Voxland commented:

We don’t have to change any of our headers or anything.

What changed is that if a user is referencing an XSD other than one of ours, Liquibase will no longer automatically download the XSD from the internet and use it.

Instead, they will get an error of Unable to resolve xml entity locally: liquibase.secureParsing is set to 'true' which does not allow remote lookups. Set it to 'false' to allow remote lookups of xsd files.

Their options are either:

1. Set liquibase.secureParsing=false however they want (properties file, CLI argument, env variable, etc.)
2. Add it to a jar in Liquibase’s classpath under the path /.
   1. For example, if the XSD’s path is https://example.com/internal/changelog.xsd it should be stored in a jar in the path /example.com/internal/changelog.xsd

So normal Liquibase usage isn’t impacted. It’s only people who are using custom or extension XSDs which aren’t already included in their local jars.

[sync-by-unito]

➤ Erzsebet Carmean commented:

Nataliya Melnyk, hello -

This change prevents Liquibase from looking on the internet for a missing XSD files referenced in a changelog. This is useful when there is no internet connection from the database or if there is an outage on the Liquibase site hosting the XSDs. This change is also more secure, as it leverages the FEATURE_SECURE_PROCESSING setting in the XML parser to limit the ability to “look anywhere” for files. This XML parser parameter is configured in Liquibase using the Liquibase SECURE_PROCESSING global parameter. The default for for SECURE_PROCESSING is true, which stops Liquibase from looking on the internet for missing XSDs. The SECURE_PROCESSING can be disabled using any of the normal Liquibase configuration options.

Global Parameter : --secure-parsing=PARAM
See liquibase --help for details on how use JAVA_OPTS, liquibase.properties file or environment variables to change the setting of liquibase.secure-parsing.

This comment in the PR has my test notes:
liquibase/liquibase#2558 (comment) ( https://github.com/liquibase/liquibase/pull/2558#issuecomment-1055596870|smart-link )

CC karen.a.taggart

[sync-by-unito]

➤ karen.a.taggart commented:

Adrian Velonis see below from Erzsebet Carmean and Nathan Voxland Thanks!

[sync-by-unito]

➤ Adrian Velonis commented:

https://docsstage.liquibase.com/concepts/changelogs/xml-format.html ( https://docsstage.liquibase.com/concepts/changelogs/xml-format.html|smart-link )