API Connect

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

View Only

Back to discussions

Expand all | Collapse all

What is the recommended way to handle XML Custom Entity Expansion in APIC ?

Mehedi mehediTue April 09, 2024 05:31 PM

Hello Folks, What is the recommended way to handle XML Custom Entity Expansion in APIC ? XML ...

Steve LinnWed April 10, 2024 05:23 PM

Hi Mehedi, API Connect uses a parse policy. In that policy you can select a default for the parse settings ...

1. What is the recommended way to handle XML Custom Entity Expansion in APIC ?

Like
Mehedi mehedi
Posted Tue April 09, 2024 05:31 PM

Reply
Hello Folks,

What is the recommended way to handle XML Custom Entity Expansion in APIC ?

XML message with Custom Entities can be constructed as shown , and cause CPU saturation and be the cause for a DOS(Denial of Service) attack

<!DOCTYPE foo [

<!ENTITY lol0 "lol ">

<!ENTITY lol1 "&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;&lol0;">

<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">

<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">]>

On Datapower

XML Threat protection & XML Parser limits may be the way to go

https://www.ibm.com/docs/en/datapower-gateway/10.5.x?topic=wizard-configuring-xml-threat-protection

https://www.ibm.com/docs/en/datapower-gateway/10.5.x?topic=commands-xml-parser-limits

How can this be enable for requests to APIC ?

Thanks

Mehedi

------------------------------
Mehedi mehedi
------------------------------
2. RE: What is the recommended way to handle XML Custom Entity Expansion in APIC ?

Like
Steve Linn
Posted Wed April 10, 2024 05:23 PM

Reply
Hi Mehedi,
API Connect uses a parse policy. In that policy you can select a default for the parse settings that uses a DataPower object named apic-default-parsesetttings, or you can specify your own parser limits for that parse policy itself. The parsing limits for XML will provide the billion laughs protection as was done with these same limits in the other service's XML Manager.

Regards,

Steve

------------------------------
Steve Linn
Senior Consulting I/T Specialist
IBM
------------------------------

Original Message

API Connect

API Connect

What is the recommended way to handle XML Custom Entity Expansion in APIC ?

Mehedi mehediTue April 09, 2024 05:31 PM

Steve LinnWed April 10, 2024 05:23 PM

1. What is the recommended way to handle XML Custom Entity Expansion in APIC ?

2. RE: What is the recommended way to handle XML Custom Entity Expansion in APIC ?

Additional
Resources

Office

Quick Links

API Connect

API Connect

What is the recommended way to handle XML Custom Entity Expansion in APIC ?

Mehedi mehediTue April 09, 2024 05:31 PM

Steve LinnWed April 10, 2024 05:23 PM

1. What is the recommended way to handle XML Custom Entity Expansion in APIC ?

2. RE: What is the recommended way to handle XML Custom Entity Expansion in APIC ?

Related Content

XML Parse Error

Recipe: API Connect v5: User-Defined Policy Cookbook (Custom Policy)

application/xhtml+xml parsing issue

Quick Answer: How does an APIM Developer see latency times for specific Assembly Policies?

IBM APIC Connect: Customizing Analytics Event Data

Additional Resources

Office

Quick Links

Additional
Resources