As a metaschema-node user reading in complex metaschemas, I may need to rely on BASIC processing of XML entities to load shared resources such as constraints shared between models.
OSCAL's metaschema definitions are an example of this. oscal_implementation-common_metaschema.xml for example has the following `DOCTYPE tag:
<!DOCTYPE METASCHEMA [
<!ENTITY allowed-values-responsible-roles-operations SYSTEM "./shared-constraints/allowed-values-responsible-roles-operations.ent">
<!ENTITY allowed-values-responsible-roles-component-production SYSTEM "./shared-constraints/allowed-values-responsible-roles-component-production.ent">
<!ENTITY allowed-values-property-name-asset-type-values SYSTEM "./shared-constraints/allowed-values-property-name-asset-type-values.ent">
<!ENTITY allowed-values-component_component_property-name SYSTEM "./shared-constraints/allowed-values-component_component_property-name.ent">
<!ENTITY allowed-values-component_component_software SYSTEM "./shared-constraints/allowed-values-component_component_software.ent">
<!ENTITY allowed-values-component_component_service SYSTEM "./shared-constraints/allowed-values-component_component_service.ent">
<!ENTITY allowed-values-component_inventory-item_property-name SYSTEM "./shared-constraints/allowed-values-component_inventory-item_property-name.ent">
<!ENTITY allowed-values-component_component_link-rel SYSTEM "./shared-constraints/allowed-values-component_component_link-rel.ent">
<!ENTITY allowed-values-component-type SYSTEM "./shared-constraints/allowed-values-component-type.ent">
]>
Goals:
[ ] A convenience function capable of reading in a raw XML document and extracting all entities.
[ ] Using the ResourceResolver construct, the corresponding .ent files can be resolved to their string values.
[ ] All instances of the entity are replaced with the resolved .ent file value using string replacement.
[ ] Write a small threat model that addresses concerns around:
resolving entities using content from arbitrary remote URLs
HTTP client and regex exploits resulting from injected code
etc.
[ ] Address threat model and the following security constraints
[ ] Only resolve to local filesystem
[ ] Only allow URLs for a specific base URI
[ ] Protection against "rogue" entities from being considered valid
Dependencies:
19
Acceptance Criteria
[ ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
[ ] The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.
User Story:
As a
metaschema-node
user reading in complex metaschemas, I may need to rely on BASIC processing of XML entities to load shared resources such as constraints shared between models.OSCAL's metaschema definitions are an example of this.
oscal_implementation-common_metaschema.xml
for example has the following `DOCTYPE tag:Goals:
ResourceResolver
construct, the corresponding.ent
files can be resolved to their string values..ent
file value using string replacement.Dependencies:
19
Acceptance Criteria