Can I disable !include and !includeurl on PlantUML server?

0 votes
asked Mar 29 in Question / help by bjj (120 points)

I host a PlantUML server. I am slightly concerned at the ability to include arbitrary URLs or files via the server (for example, if we were to allow access to PlantUML for external users).

I noticed that on the PlantUML demo server (http://plantuml.com/plantuml) the ability to !include random files is blocked. For example the image described below renders with the footer containing the literal string "!include /etc/passwd" on the demo server, but instead the footer contains the contents of /etc/passwd when rendered by my server. However, the image also includes standard library entries, so !include is not completely disabled.

@startuml
!include <aws/common>
!include <aws/Storage/AmazonS3/AmazonS3>
!include <aws/Storage/AmazonS3/bucket/bucket>

AMAZONS3(s3_internal)
AMAZONS3(s3_partner,"Vendor's S3")
s3_internal <- s3_partner
footer
!include /etc/passwd
endfooter
@enduml

What I would like to know is - is it possible for me to disable !include of random files in my own PlantUML server? And if so, how? I am running the server version 1.2019.1.

Thanks to anyone who can help!

1 Answer

0 votes
answered Mar 29 by plantuml (198,400 points)
In last release (version 1.2019.4) we've just put the same setting as in the official online demo server.

It should solve this security issue.

Tell us if it's not working for you,

Thanks
...