Can I disable !include and !includeurl on PlantUML server?

asked Mar 29, 2019 in Question / help by bjj (180 points)

I host a PlantUML server. I am slightly concerned at the ability to include arbitrary URLs or files via the server (for example, if we were to allow access to PlantUML for external users).

I noticed that on the PlantUML demo server (http://plantuml.com/plantuml) the ability to !include random files is blocked. For example the image described below renders with the footer containing the literal string "!include /etc/passwd" on the demo server, but instead the footer contains the contents of /etc/passwd when rendered by my server. However, the image also includes standard library entries, so !include is not completely disabled.

@startuml
!include <aws/common>
!include <aws/Storage/AmazonS3/AmazonS3>
!include <aws/Storage/AmazonS3/bucket/bucket>

AMAZONS3(s3_internal)
AMAZONS3(s3_partner,"Vendor's S3")
s3_internal <- s3_partner
footer
!include /etc/passwd
endfooter
@enduml

What I would like to know is - is it possible for me to disable !include of random files in my own PlantUML server? And if so, how? I am running the server version 1.2019.1.

Thanks to anyone who can help!

Your answer

Your name to display (optional):

Email me at this address if my answer is selected or commented on:

Privacy: Your email address will only be used for sending these notifications.

Anti-spam verification:

Please complete the anti-spam verification

[Antispam2 Feature: please please wait 1 or 2 minutes (this message will disappear) before pressing the button otherwise it will fail](--------)

To avoid this verification in future, please log in or register.

1 Answer

answered Mar 29, 2019 by plantuml (295,000 points)

Your comment on this answer: