Skip to content
|
Plugin Hub
github-edit-pageEdit this page
report-issueReport an issue
header icon

XML Threat Protection Configuration

By Kong Inc.
You are browsing unreleased documentation.

Configuration

This plugin is compatible with DB-less mode.

Compatible protocols

The XML Threat Protection plugin is compatible with the following protocols:

grpc, grpcs, http, https

Parameters

Here's a list of all the parameters which can be used in this plugin's configuration:

  • name or plugin

    string required

    The name of the plugin, in this case xml-threat-protection.

    • If using the Kong Admin API, Konnect API, declarative configuration, or decK files, the field is name.
    • If using the KongPlugin object in Kubernetes, the field is plugin.

  • instance_name

    string

    An optional custom name to identify an instance of the plugin, for example xml-threat-protection_my-service.

    The instance name shows up in Kong Manager and in Konnect, so it's useful when running the same plugin in multiple contexts, for example, on multiple services. You can also use it to access a specific plugin instance via the Kong Admin API.

    An instance name must be unique within the following context:

    • Within a workspace for Kong Gateway Enterprise
    • Within a control plane or control plane group for Konnect
    • Globally for Kong Gateway (OSS)

  • service.name or service.id

    string

    The name or ID of the service the plugin targets. Set one of these parameters if adding the plugin to a service through the top-level /plugins endpoint. Not required if using /services/{serviceName|Id}/plugins.

  • route.name or route.id

    string

    The name or ID of the route the plugin targets. Set one of these parameters if adding the plugin to a route through the top-level /plugins endpoint. Not required if using /routes/{routeName|Id}/plugins.

  • consumer.name or consumer.id

    string

    The name or ID of the consumer the plugin targets. Set one of these parameters if adding the plugin to a consumer through the top-level /plugins endpoint. Not required if using /consumers/{consumerName|Id}/plugins.

  • enabled

    boolean default: true

    Whether this plugin will be applied.

  • config

    record required

    • checked_content_types

      set of type string required default: application/xml

      A list of Content-Type values with payloads that must be validated.

    • allowed_content_types

      set of type string required

      A list of Content-Type values with payloads that are allowed, but aren’t validated.

    • allow_dtd

      boolean required default: false

      Indicates whether an XML Document Type Definition (DTD) section is allowed.

    • namespace_aware

      boolean required default: true

      If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.

    • max_depth

      integer required default: 50

      Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.

    • max_children

      integer required default: 100

      Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.

    • max_attributes

      integer required default: 100

      Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.

    • max_namespaces

      integer default: 20

      Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.

    • document

      integer required default: 10485760

      Maximum size of the entire document.

    • buffer

      integer required default: 1048576

      Maximum size of the unparsed buffer (see below).

    • comment

      integer required default: 1024

      Maximum size of comments.

    • localname

      integer required default: 1024

      Maximum size of the localname. This applies to tags and attributes.

    • prefix

      integer default: 1024

      Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.

    • namespaceuri

      integer default: 1024

      Maximum size of the namespace URI. This value is required if parsing is namespace-aware.

    • attribute

      integer required default: 1048576

      Maximum size of the attribute value.

    • text

      integer required default: 1048576

      Maximum text inside tags (counted over all adjacent text/CDATA elements combined).

    • pitarget

      integer required default: 1024

      Maximum size of processing instruction targets.

    • pidata

      integer required default: 1024

      Maximum size of processing instruction data.

    • entityname

      integer required default: 1024

      Maximum size of entity names in EntityDecl.

    • entity

      integer required default: 1024

      Maximum size of entity values in EntityDecl.

    • entityproperty

      integer required default: 1024

      Maximum size of systemId, publicId, or notationName in EntityDecl.

    • bla_max_amplification

      number required default: 100

      Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.

    • bla_threshold

      integer required default: 8388608

      Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.