resteasy XXE vulnerability
by Wang Veronica
Hi experts,
We use resteasy 3.0.6final, and XXE vulnerability was reported during penetration test.
Seems that 3.0.6final contains partial fix for XXE vulnerability, but need to set resteasy.document.expand.entity.references parameter to false explicitly. A more complete fix seems to have been done after 3.0.10.
We can upgrade to a more recent version, e.g. 3.1.2. Another option I am thinking is not to support XML Media type (we actually need to support json only). Is this a feasible approach to ultimately avoid XXE attack and any pointers to achieve this? (In our REST API code, we currently declare consume and produce annotations to support application/xml and application/json).
Is there a simple resteasy configuration to disable support of application/xml?
Thanks, Veronica
1 year, 3 months
Selecting MessageBodyWriter seems to ignore priority given a specific type match
by Steven Schlansker
Hi Resteasy users, [ apologies for the re-post, sent from wrong email the first time ]
I'm a happy user of Resteasy + Jackson for Json processing.
Recently, I had the misfortune of attempting to serialize a basic String:
client.post(Entity.json("Test"));
if you call Jackson directly, it does the right thing:
mapper.writeValueAsString("Test") => "\"Test\""
However, much to my surprise, when sending it via JAX-RS client, it is written as a bare word without quotes -- and is rejected server-side.
After some debugging, I realized that both StringTextStar and JacksonJsonProvider were ending up with Priorities.USER and being seen as equivalent.
No good! So I changed my registration:
context.register(new JacksonJsonProvider(myMapper), Integer.MAX_VALUE);
I then proceeded to triumphantly ... observe the same test failure as before!
Dug quite a bit further in, and it seems that the selection process in MediaTypeMap$TypedEntryComparator
has the unfortunate property that it will select (via compareTypes) a *less priority* MessageBodyWriter if the type is a tighter bound on the Entity.
So in my case, I get
StringTextStar -> String.class@5000
JacksonJsonProvider -> Object.class(a)Integer.MAX_VALUE
and the TypedEntryComparator selects StringTextStar since String is-assignable to Object, despite my attempt at an ultimate priority registration.
How do I fix this? Preferably without removing StringTextStar entirely, as I'm sure that will break something else (reading error messages perhaps).
Thanks for any advice,
Steven
1 year, 3 months
Re: [resteasy] RESTEasy client and JSON-B serialization
by Marek Kopecky
Hi Nicklas,
I'm adding back resteasy mailing list to this conversation.
As I mentioned in my previous mail: can you please provide a reproducer?
(zip file with java project/projects with minimal example of this
issue/issues (deployment application and optionally client application)).
Thank you,
Marek
On 3/14/19 9:50 PM, Nicklas Karlsson wrote:
> But another thing that's really strange is if I do a
>
> return client.target(...).path("md5").request()
> .post(Entity.json(paths)).readEntity(new GenericType<Map<Path,
> String>>() {
> });
>
> (where paths is a Collection<Path>)
>
> I see my PathAdapter being hit on the way out but not when parsing the
> result. Furthermore, I get my Map<Path, String> but the keys are
> somehow Strings. Don't ask me how that works syntactically with the
> key being a Path. The compiler is fine with me using them as paths
> until I actually try to call path methods on it, then they go all
> ClassCastException on me.
>
> On Thu, Mar 14, 2019 at 6:35 PM Nicklas Karlsson <nickarls(a)gmail.com
> <mailto:nickarls@gmail.com>> wrote:
>
> Thanks for the reply, I'll see if I can distill it down.
>
> I actually got it working by explicitly registering the provider
> with the client builder (did it wrong the first time). I checked
> with the debugger and the ClientBuilder apparently holds provider
> factories that *sound* like their job would be picking up the
> ContextResolver but I get by for now. As a curiosity,
> register(Object) only worked for me when I instantiated the
> ContextResolver with new(), apparently it's an CDI injectable
> resource but passing along that instance resulted in some sort of
> ArrayIndexOutBoundsException.
>
> On Thu, Mar 14, 2019 at 5:21 PM Marek Kopecky <mkopecky(a)redhat.com
> <mailto:mkopecky@redhat.com>> wrote:
>
> Hi Nicklas,
>
> can you please provide a reproducer? (zip file with minimal
> example of this issue).
>
> Thank you,
>
> Marek
>
> On 3/14/19 11:45 AM, Nicklas Karlsson wrote:
>> Hi,
>>
>> I'm trying out the RESTEasy client on a WildFly 16 and I'm
>> running into a serialization problem. I have a CDI @Provider
>> for ContextResolver<Jsonb> but when using the client with
>> some non-standard Objects (Adapters registered in the
>> Jsonb-provider), I never see the provider hit and I get
>> exception like
>>
>> Caused by: java.lang.IllegalAccessException: Class
>> org.eclipse.yasson.internal.model.GetFromGetter can not
>> access a member of class sun.nio.fs.WindowsPath with
>> modifiers "public" and
>> Caused by: javax.ws.rs.ProcessingException: RESTEASY008205:
>> JSON Binding serialization error
>> javax.json.bind.JsonbException: Error getting value on:
>> foo.txt and
>> Caused by: javax.json.bind.JsonbException: Error getting
>> value on: yep.fmb12:36:19,331 at
>> org.eclipse.yasson.internal.model.GetValueCommand.getValue(GetValueCommand.java:36)
>>
>> and the likes which could be expected from a best-guess
>> attempt at serializing a java.nio.file.Path instead of using
>> the Adapter.
>>
>> I've also tried registering the provider directly in the
>> client builder but still no go? What is the correct way of
>> hooking up JSON-B serialization?
>>
>> Thanks in advance,
>> Nik
>>
>> --
>> Nicklas Karlsson, +358 40 5062266
>> Vaakunatie 10 as 7, 20780 Kaarina
>>
>> _______________________________________________
>> resteasy mailing list
>> resteasy(a)lists.jboss.org <mailto:resteasy@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/resteasy
>
>
>
> --
> Nicklas Karlsson, +358 40 5062266
> Vaakunatie 10 as 7, 20780 Kaarina
>
>
>
> --
> Nicklas Karlsson, +358 40 5062266
> Vaakunatie 10 as 7, 20780 Kaarina
5 years, 9 months
RESTEasy client and JSON-B serialization
by Nicklas Karlsson
Hi,
I'm trying out the RESTEasy client on a WildFly 16 and I'm running into a
serialization problem. I have a CDI @Provider for ContextResolver<Jsonb>
but when using the client with some non-standard Objects (Adapters
registered in the Jsonb-provider), I never see the provider hit and I get
exception like
Caused by: java.lang.IllegalAccessException: Class
org.eclipse.yasson.internal.model.GetFromGetter can not access a member of
class sun.nio.fs.WindowsPath with modifiers "public" and
Caused by: javax.ws.rs.ProcessingException: RESTEASY008205: JSON Binding
serialization error javax.json.bind.JsonbException: Error getting value on:
foo.txt and
Caused by: javax.json.bind.JsonbException: Error getting value on:
yep.fmb12:36:19,331 at
org.eclipse.yasson.internal.model.GetValueCommand.getValue(GetValueCommand.java:36)
and the likes which could be expected from a best-guess attempt at
serializing a java.nio.file.Path instead of using the Adapter.
I've also tried registering the provider directly in the client builder but
still no go? What is the correct way of hooking up JSON-B serialization?
Thanks in advance,
Nik
--
Nicklas Karlsson, +358 40 5062266
Vaakunatie 10 as 7, 20780 Kaarina
5 years, 9 months
