You are browsing documentation for an outdated plugin version.
Configuration
This plugin is compatible with DB-less mode.
Compatible protocols
The XML Threat Protection plugin is compatible with the following protocols:
grpc
, grpcs
, http
, https
Parameters
Here's a list of all the parameters which can be used in this plugin's configuration:
-
name or plugin
string requiredThe name of the plugin, in this case
xml-threat-protection
.- If using the Kong Admin API, Konnect API, declarative configuration, or decK files, the field is
name
. - If using the KongPlugin object in Kubernetes, the field is
plugin
.
- If using the Kong Admin API, Konnect API, declarative configuration, or decK files, the field is
-
instance_name
stringAn optional custom name to identify an instance of the plugin, for example
xml-threat-protection_my-service
.The instance name shows up in Kong Manager and in Konnect, so it's useful when running the same plugin in multiple contexts, for example, on multiple services. You can also use it to access a specific plugin instance via the Kong Admin API.
An instance name must be unique within the following context:
- Within a workspace for Kong Gateway Enterprise
- Within a control plane or control plane group for Konnect
- Globally for Kong Gateway (OSS)
-
service.name or service.id
stringThe name or ID of the service the plugin targets. Set one of these parameters if adding the plugin to a service through the top-level
/plugins
endpoint. Not required if using/services/{serviceName|Id}/plugins
. -
route.name or route.id
stringThe name or ID of the route the plugin targets. Set one of these parameters if adding the plugin to a route through the top-level
/plugins
endpoint. Not required if using/routes/{routeName|Id}/plugins
. -
consumer.name or consumer.id
stringThe name or ID of the consumer the plugin targets. Set one of these parameters if adding the plugin to a consumer through the top-level
/plugins
endpoint. Not required if using/consumers/{consumerName|Id}/plugins
. -
enabled
boolean default:true
Whether this plugin will be applied.
-
config
record required-
checked_content_types
set of typestring
required default:application/xml
A list of Content-Type values with payloads that must be validated.
-
allowed_content_types
set of typestring
requiredA list of Content-Type values with payloads that are allowed, but aren’t validated. For example, if the API also accepts JSON, you can add
"application/json"
.
-
allow_dtd
boolean required default:false
Indicates whether an XML Document Type Definition (DTD) section is allowed.
-
namespace_aware
boolean required default:true
If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.
-
max_depth
integer required default:50
Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.
-
max_children
integer required default:100
Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example,
text-cdata-text-cdata
is one child.
-
max_attributes
integer required default:100
Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.
-
max_namespaces
integer default:20
Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.
-
document
integer required default:10485760
Maximum size of the entire document.
-
buffer
integer required default:1048576
Maximum size of the unparsed buffer (see below).
-
comment
integer required default:1024
Maximum size of comments.
-
localname
integer required default:1024
Maximum size of the localname. This applies to tags and attributes. Note: If parsing isn’t namespace-aware, this limit counts against the full name (prefix + localname).
-
prefix
integer default:1024
Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.
-
namespaceuri
integer default:1024
Maximum size of the namespace URI. This value is required if parsing is namespace-aware.
-
attribute
integer required default:1048576
Maximum size of the attribute value.
-
text
integer required default:1048576
Maximum text inside tags (counted over all adjacent text/CDATA elements combined).
-
pitarget
integer required default:1024
Maximum size of processing instruction targets.
-
pidata
integer required default:1024
Maximum size of processing instruction data.
-
entityname
integer required default:1024
Maximum size of entity names in EntityDecl.
-
entity
integer required default:1024
Maximum size of entity values in EntityDecl.
-
entityproperty
integer required default:1024
Maximum size of systemId, publicId, or notationName in EntityDecl.
-
bla_max_amplification
number required default:100
Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.
-
bla_threshold
integer required default:8388608
Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.
-