resteasy XXE vulnerability
by Wang Veronica
Hi experts,
We use resteasy 3.0.6final, and XXE vulnerability was reported during penetration test.
Seems that 3.0.6final contains partial fix for XXE vulnerability, but need to set resteasy.document.expand.entity.references parameter to false explicitly. A more complete fix seems to have been done after 3.0.10.
We can upgrade to a more recent version, e.g. 3.1.2. Another option I am thinking is not to support XML Media type (we actually need to support json only). Is this a feasible approach to ultimately avoid XXE attack and any pointers to achieve this? (In our REST API code, we currently declare consume and produce annotations to support application/xml and application/json).
Is there a simple resteasy configuration to disable support of application/xml?
Thanks, Veronica
1 year, 3 months
Resteasy client defines servlet
by Leonid Rozenblyum
Hello.
Recently due to update of resteasy-client from 3.0.1.Final to 3.6.3.Final
we faced failures to process our spring mvc controller at '/' path.
After some debugging I found out the reason:
1) resteasy-client transitively depends on resteasy-jaxrs
2) resteasy-jaxrs (at least since 3.0.20.final)
(see commit
https://github.com/resteasy/Resteasy/commit/840cb666c8e89767e9c9821eb173b...
)
registers org.jboss.resteasy.plugins.server.servlet.HttpServlet30Dispatcher
as a servlet with value = '')
Is it an expected behaviour that *client *dependency register a servlet?
Are there any ways to disable it?
Thanks for advice!
1 year, 3 months
Selecting MessageBodyWriter seems to ignore priority given a specific type match
by Steven Schlansker
Hi Resteasy users, [ apologies for the re-post, sent from wrong email the first time ]
I'm a happy user of Resteasy + Jackson for Json processing.
Recently, I had the misfortune of attempting to serialize a basic String:
client.post(Entity.json("Test"));
if you call Jackson directly, it does the right thing:
mapper.writeValueAsString("Test") => "\"Test\""
However, much to my surprise, when sending it via JAX-RS client, it is written as a bare word without quotes -- and is rejected server-side.
After some debugging, I realized that both StringTextStar and JacksonJsonProvider were ending up with Priorities.USER and being seen as equivalent.
No good! So I changed my registration:
context.register(new JacksonJsonProvider(myMapper), Integer.MAX_VALUE);
I then proceeded to triumphantly ... observe the same test failure as before!
Dug quite a bit further in, and it seems that the selection process in MediaTypeMap$TypedEntryComparator
has the unfortunate property that it will select (via compareTypes) a *less priority* MessageBodyWriter if the type is a tighter bound on the Entity.
So in my case, I get
StringTextStar -> String.class@5000
JacksonJsonProvider -> Object.class(a)Integer.MAX_VALUE
and the TypedEntryComparator selects StringTextStar since String is-assignable to Object, despite my attempt at an ultimate priority registration.
How do I fix this? Preferably without removing StringTextStar entirely, as I'm sure that will break something else (reading error messages perhaps).
Thanks for any advice,
Steven
1 year, 3 months
resteasy spring project example
by Onder SEZGIN
hi,
i can see in the repo, there are examples but i could not run any of them
problem.
is there any guide that i can follow to run example resteasy + spring
integration?
Thanks
5 years
Resteasy client as Eclipse RCP plugin
by Christian Pontesegger
Hi,
I tried to build a simple Rest client with resteasy 4.4.0:
@Path("/v2/store")
public interface IStoreService {
@GET
@Path("inventory")
@Produces(MediaType.APPLICATION_JSON)
Response getInventory();
}
public class ServiceTest {
public static IStoreService createStoreService() throws
URISyntaxException {
ResteasyClient client = new
ResteasyClientBuilderImpl().build();
ResteasyWebTarget target = client.target(new URI("
https://petstore.swagger.io/"));
return target.proxy(IStoreService.class);
}
public static Response test() throws URISyntaxException {
IStoreService storeService = createStoreService();
return storeService.getInventory();
}
}
Works nicely as a standalone java project. But once I try to push this
to an Eclipse plugin project for RCP, things start to fail. I put
everything into a single plugin, packing all resteasy jars into the
plugin to have them available using the sample plugin classloader.
Still ServiceTest.test() fails throwing an exception (see below).
Anyone ever tried to do such a thing? What am I missing?
thanks
Christian
Exception:
Java Stacktrace:
java.lang.RuntimeException: java.lang.RuntimeException: RESTEASY003940:
Unable to instantiate MessageBodyReader
at
org.jboss.resteasy.plugins.providers.RegisterBuiltin.register(RegisterB
uiltin.java:88)
at
org.jboss.resteasy.plugins.providers.RegisterBuiltin.getClientInitializ
edResteasyProviderFactory(RegisterBuiltin.java:64)
at
org.jboss.resteasy.client.jaxrs.internal.ResteasyClientBuilderImpl.getP
roviderFactory(ResteasyClientBuilderImpl.java:354)
at
org.jboss.resteasy.client.jaxrs.internal.ResteasyClientBuilderImpl.buil
d(ResteasyClientBuilderImpl.java:367)
at
com.codeandme.restclient.resteasy.ServiceFactory.createStoreService(Ser
viceFactory.java:16)
at
com.codeandme.restclient.resteasy.ServiceFactory.test(ServiceFactory.ja
va:22)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja
va:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso
rImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126)
at
org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225)
at
org.mozilla.javascript.optimizer.OptRuntime.callProp0(OptRuntime.java:8
5)
at org.mozilla.javascript.gen.c_5._c_script_0(Unknown Source)
at org.mozilla.javascript.gen.c_5.call(Unknown Source)
at
org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:405
)
at
org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3508)
at org.mozilla.javascript.gen.c_5.call(Unknown Source)
at org.mozilla.javascript.gen.c_5.exec(Unknown Source)
at
org.mozilla.javascript.Context.evaluateReader(Context.java:1293)
at
org.eclipse.ease.lang.javascript.rhino.RhinoScriptEngine.internalExecut
e(RhinoScriptEngine.java:219)
at
org.eclipse.ease.lang.javascript.rhino.RhinoScriptEngine.execute(RhinoS
criptEngine.java:198)
at
org.eclipse.ease.AbstractScriptEngine.inject(AbstractScriptEngine.java:
226)
at
org.eclipse.ease.AbstractScriptEngine.run(AbstractScriptEngine.java:277
)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)
Caused by: java.lang.RuntimeException: RESTEASY003940: Unable to
instantiate MessageBodyReader
at
org.jboss.resteasy.core.providerfactory.ClientHelper.processProviderCon
tracts(ClientHelper.java:152)
at
org.jboss.resteasy.core.providerfactory.ResteasyProviderFactoryImpl.pro
cessProviderContracts(ResteasyProviderFactoryImpl.java:884)
at
org.jboss.resteasy.core.providerfactory.ResteasyProviderFactoryImpl.reg
isterProvider(ResteasyProviderFactoryImpl.java:876)
at
org.jboss.resteasy.core.providerfactory.ResteasyProviderFactoryImpl.reg
isterProvider(ResteasyProviderFactoryImpl.java:863)
at
org.jboss.resteasy.plugins.providers.RegisterBuiltin.registerProviders(
RegisterBuiltin.java:172)
at
org.jboss.resteasy.plugins.providers.RegisterBuiltin.register(RegisterB
uiltin.java:84)
... 24 more
Caused by: java.lang.RuntimeException:
java.lang.ClassNotFoundException:
org.glassfish.jersey.internal.RuntimeDelegateImpl cannot be found by
javax.ws.rs_2.0.1.v201504171603
at
javax.ws.rs.ext.RuntimeDelegate.findDelegate(RuntimeDelegate.java:152)
at
javax.ws.rs.ext.RuntimeDelegate.getInstance(RuntimeDelegate.java:120)
at javax.ws.rs.core.MediaType.valueOf(MediaType.java:179)
at
org.jboss.resteasy.core.providerfactory.ClientHelper.addMessageBodyRead
er(ClientHelper.java:449)
at
org.jboss.resteasy.core.providerfactory.ClientHelper.processProviderCon
tracts(ClientHelper.java:146)
... 29 more
Caused by: java.lang.ClassNotFoundException:
org.glassfish.jersey.internal.RuntimeDelegateImpl cannot be found by
javax.ws.rs_2.0.1.v201504171603
at
org.eclipse.osgi.internal.loader.BundleLoader.findClassInternal(BundleL
oader.java:511)
at
org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.ja
va:422)
at
org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.ja
va:414)
at
org.eclipse.osgi.internal.loader.ModuleClassLoader.loadClass(ModuleClas
sLoader.java:153)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:264)
at
javax.ws.rs.ext.FactoryFinder.newInstance(FactoryFinder.java:115)
at javax.ws.rs.ext.FactoryFinder.find(FactoryFinder.java:225)
at
javax.ws.rs.ext.RuntimeDelegate.findDelegate(RuntimeDelegate.java:135)
... 33 more
5 years, 1 month
