New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[XSDLookUp] Updated entity resolver to not fallback to network lookup when xsd is not found #2558
Conversation
Thanks for submitting this. We are taking a look. Appreciate the PR and description. |
@kataggart |
That's a good question @kavya-shastri -- let me reach out to someone on this end with a deeper knowledge and get you an answer. Also, if you aren't already aware of Liquibase Forum, you might want to go over there and post the question. Some experts hang out there and are always answering questions. |
ha @kavya-shastri ignore my suggestion to go to the Forum! I just saw you already posted there! https://forum.liquibase.org/t/urgent-changelog-xsd-lookup/6432/3 :) Working to get you an answer. |
For controlling whether to enable or disable this behavior, I think the best spot is to use the new With 4.8.0, we added that, which allows us to be more secure by default in our XML parsing but let people disable that when they need. For that feature, we still had to allow http/https lookup for XSD or it broke the liquibase XSD references even though they are actually local. But your check inside the EntityResolver is a good solution to still allowing the local XSDs to work while blocking potentially insecure XSD lookups. Could you update the PR, @kavya-shastri to use that setting instead of the new flag you introduced? And update the error message to be more descriptive about how it only will use locally packaged copies of XSDs unless liquibase.secureParsing is set to false? |
c4277f1
to
1c063b2
Compare
@nvoxland |
1c063b2
to
61a1936
Compare
… when xsd is not found
61a1936
to
3e9dbdd
Compare
@kataggart |
@kavya-shastri It's in our queue for code review; thanks! |
…quibase into kavya-shastri-XSDLookUpUpdate
Thanks @kavya-shastri, it looks good. I just updated the error message slightly. The changelog I used for testing looked like this:
with the With --secure-parsing=true, I get the error message. With it false, I get an expected "File not found" error since that's not at example.com |
PR 2384 enabled the Liquibase global configuration for SECURE_PROCESSING by default during XML parsing. This PR extends usage of that global configuration to prevent the entity resolver from falling back to looking on the network for missing XSDs. The default for SECURE_PROCESSING is true, but can be overridden in any of the Liquibase configuration locations. Global Parameter : I tested the first three cases by setting the dbchangelog.xsd to version 5.0, which does not exist.
I tested this case with an XML changelog containing:
I tested this case with an XML changelog containing:
Test Environment |
Environment
Liquibase Version:
Liquibase Integration & Version: <Pick one: CLI, maven, gradle, spring boot, servlet, etc.>
Liquibase Extension(s) & Version:
Database Vendor & Version:
Operating System Type & Version:
Pull Request Type
Description
Steps To Reproduce
while using the 3.6 version of liquibase jar.
This mismatch was causing our application to do a network lookup every time during deployment. This scenario worked well until there was a liquibase outage which ultimately caused a downtime for our application as well.
Actual Behavior
Liquibase falls back to network lookup if the xsd file is not found locally or with the bundled liquibase jar.
Expected/Desired Behavior
The fallback to the network lookup be controlled by a flag which controls the network lookup for xsd file.
The latter scenario is preferred since this will allow us to catch issues during the development stage.
Screenshots (if appropriate)
If applicable, add screenshots to help explain your problem.
Additional Context
Add any other context about the problem here.
Fast Track PR Acceptance Checklist:
Need Help?
Come chat with us on our discord channel