Improve NETCONF session correctness, XML hardening, and compatibility docs#83
Merged
ydnath merged 8 commits intoJuniper:masterfrom Apr 25, 2026
Merged
Improve NETCONF session correctness, XML hardening, and compatibility docs#83ydnath merged 8 commits intoJuniper:masterfrom
ydnath merged 8 commits intoJuniper:masterfrom
Conversation
added 6 commits
April 24, 2026 11:01
Configure secure XML parser settings for device sessions and parsed NETCONF elements to disable external entities, DTD loading, and external schema access. Also reject DOCTYPE declarations in rpc-reply parsing and cover the behavior with a focused reply parsing test.
Switch session framing based on the peer hello, decode chunked NETCONF 1.1 replies, and return framed payloads from streaming RPC reads instead of raw transport markers. Also preserve caller-supplied rpc message-ids, generate missing message-ids for raw rpc envelopes, validate rpc-reply correlation, and ensure commitThisConfiguration always unlocks the candidate datastore on failure.
Make XML.addPath build each segment under the previously created node instead of attaching every segment directly to the original active element. Add a regression test for multi-segment paths so nested hierarchies are preserved correctly.
- clean up partial SSH state when NETCONF session creation fails - connect and release exec channels deterministically - enforce commandTimeout for shell helper reads - document the recommended Device lifecycle in the README
- verify back-to-back executeRPC calls stay aligned with NETCONF 1.0 framing - verify back-to-back executeRPC calls stay aligned with NETCONF 1.1 chunked framing - document the issue scope as sequential session reuse rather than concurrent RPC support
- clarify that a NetconfSession is intended for sequential RPC use - state that concurrent in-flight RPCs on the same session are not guaranteed safe - recommend separate sessions when applications need concurrency
Add a maintainer-facing compatibility matrix covering NETCONF RFC support, capability caveats, NMDA coverage, notifications gaps, and Junos-specific helpers. Also align Maven and Gradle on assertj-core 3.27.7 to address CVE-2026-24400 in AssertJ's XML pretty-printing path while keeping the existing XMLUnit-based test style. Bump version to 2.2.1.0
Teach sessions to negotiate the shared NETCONF base capability and gate operations against what the server actually advertises. Add structured RpcErrorException and ValidateException flows, harden rpc-error parsing for namespaced replies, and update commit/load/validate behavior to preserve server detail. Back the change with unit and integration coverage, Javadocs for the new public API, and a sanitized integration runner/docs path story.
Contributor
Author
|
Issue coverage note for reviewers: This PR appears to address the following existing issues: Fully addresses #81 by negotiating the shared NETCONF base capability instead of assuming NETCONF 1.1, which restores proper NETCONF 1.0 behavior when that is the common denominator. |
Contributor
Author
|
Also, I purposely did not squash commits. Each one is meant to contain specific fixes. Or a smaller focused set of fixes. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR improves protocol correctness, parser safety, session cleanup, and developer-facing documentation in
netconf-javawithout introducing a broad API rewrite.The focus is on making the existing client more robust under real production failure modes while keeping the current JSch-based transport model intact.
What changed
Hardened NETCONF XML parsing against XXE / DTD-based attacks
Fixed NETCONF session framing and reply correlation
message-idon outbound RPCsmessage-idon inboundrpc-replyFixed session/resource cleanup during connection failures
connect()Fixed shell exec helper correctness
Fixed nested XML path construction
Clarified session concurrency expectations
NetconfSessionis intended for sequential RPC useAdded compatibility documentation
docs/compatibility.mdUpdated test dependency for security
assertj-coreto3.27.7to addressCVE-2026-24400shared NETCONF base-capability negotiation with framing derived from the negotiated base
capability-gated candidate, validate, and confirmed-commit operations
Device.getNegotiatedCapabilities() and NetconfSession.getNegotiatedCapabilities()
structured RpcErrorException / ValidateException handling, including namespaced rpc-error parsing
sanitized integration runner/docs path cleanup
Bumped project version to
2.2.1.0Verification
Notes / non-goals
This PR improves RFC 6241 / 6242 behavior materially, but it does not claim full standards compliance yet.
Known follow-up areas include: