{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "#/components/schemas/XmlThreatProtectionPluginConfig", "title": "XmlThreatProtectionPluginConfig", "x-speakeasy-entity": "PluginXmlThreatProtection", "properties": { "config": { "type": "object", "properties": { "allow_dtd": { "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", "type": "boolean", "default": false }, "allowed_content_types": { "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", "type": "array", "items": { "type": "string" }, "default": [] }, "attribute": { "description": "Maximum size of the attribute value.", "type": "integer", "default": 1048576 }, "bla_max_amplification": { "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", "type": "number", "default": 100, "minimum": 1 }, "bla_threshold": { "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", "type": "integer", "default": 8388608, "minimum": 1024 }, "buffer": { "description": "Maximum size of the unparsed buffer (see below).", "type": "integer", "default": 1048576 }, "checked_content_types": { "description": "A list of Content-Type values with payloads that must be validated.", "type": "array", "items": { "type": "string" }, "default": [ "application/xml" ] }, "comment": { "description": "Maximum size of comments.", "type": "integer", "default": 1024 }, "document": { "description": "Maximum size of the entire document.", "type": "integer", "default": 10485760 }, "entity": { "description": "Maximum size of entity values in EntityDecl.", "type": "integer", "default": 1024 }, "entityname": { "description": "Maximum size of entity names in EntityDecl.", "type": "integer", "default": 1024 }, "entityproperty": { "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", "type": "integer", "default": 1024 }, "localname": { "description": "Maximum size of the localname. This applies to tags and attributes.", "type": "integer", "default": 1024 }, "max_attributes": { "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", "type": "integer", "default": 100 }, "max_children": { "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", "type": "integer", "default": 100 }, "max_depth": { "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", "type": "integer", "default": 50 }, "max_namespaces": { "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", "type": "integer", "default": 20 }, "namespace_aware": { "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", "type": "boolean", "default": true }, "namespaceuri": { "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", "type": "integer", "default": 1024 }, "pidata": { "description": "Maximum size of processing instruction data.", "type": "integer", "default": 1024 }, "pitarget": { "description": "Maximum size of processing instruction targets.", "type": "integer", "default": 1024 }, "prefix": { "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", "type": "integer", "default": 1024 }, "text": { "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", "type": "integer", "default": 1048576 } } }, "consumer": { "description": "If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.", "type": "object", "additionalProperties": false, "properties": { "id": { "type": "string" } } }, "name": { "const": "xml-threat-protection" }, "protocols": { "description": "A set of strings representing HTTP protocols.", "type": "array", "items": { "enum": [ "grpc", "grpcs", "http", "https" ], "type": "string" }, "format": "set", "default": [ "grpc", "grpcs", "http", "https" ] }, "route": { "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", "type": "object", "additionalProperties": false, "properties": { "id": { "type": "string" } } }, "service": { "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", "type": "object", "additionalProperties": false, "properties": { "id": { "type": "string" } } } } }