I host a PlantUML server. I am slightly concerned at the ability to include arbitrary URLs or files via the server (for example, if we were to allow access to PlantUML for external users).
I noticed that on the PlantUML demo server (http://plantuml.com/plantuml) the ability to !include random files is blocked. For example the image described below renders with the footer containing the literal string "!include /etc/passwd" on the demo server, but instead the footer contains the contents of /etc/passwd when rendered by my server. However, the image also includes standard library entries, so !include is not completely disabled.
@startuml
!include <aws/common>
!include <aws/Storage/AmazonS3/AmazonS3>
!include <aws/Storage/AmazonS3/bucket/bucket>
AMAZONS3(s3_internal)
AMAZONS3(s3_partner,"Vendor's S3")
s3_internal <- s3_partner
footer
!include /etc/passwd
endfooter
@enduml
What I would like to know is - is it possible for me to disable !include of random files in my own PlantUML server? And if so, how? I am running the server version 1.2019.1.
Thanks to anyone who can help!