resteasy XXE vulnerability
by Wang Veronica
Hi experts,
We use resteasy 3.0.6final, and XXE vulnerability was reported during penetration test.
Seems that 3.0.6final contains partial fix for XXE vulnerability, but need to set resteasy.document.expand.entity.references parameter to false explicitly. A more complete fix seems to have been done after 3.0.10.
We can upgrade to a more recent version, e.g. 3.1.2. Another option I am thinking is not to support XML Media type (we actually need to support json only). Is this a feasible approach to ultimately avoid XXE attack and any pointers to achieve this? (In our REST API code, we currently declare consume and produce annotations to support application/xml and application/json).
Is there a simple resteasy configuration to disable support of application/xml?
Thanks, Veronica
1 year, 3 months
Resteasy client defines servlet
by Leonid Rozenblyum
Hello.
Recently due to update of resteasy-client from 3.0.1.Final to 3.6.3.Final
we faced failures to process our spring mvc controller at '/' path.
After some debugging I found out the reason:
1) resteasy-client transitively depends on resteasy-jaxrs
2) resteasy-jaxrs (at least since 3.0.20.final)
(see commit
https://github.com/resteasy/Resteasy/commit/840cb666c8e89767e9c9821eb173b...
)
registers org.jboss.resteasy.plugins.server.servlet.HttpServlet30Dispatcher
as a servlet with value = '')
Is it an expected behaviour that *client *dependency register a servlet?
Are there any ways to disable it?
Thanks for advice!
1 year, 3 months
Selecting MessageBodyWriter seems to ignore priority given a specific type match
by Steven Schlansker
Hi Resteasy users, [ apologies for the re-post, sent from wrong email the first time ]
I'm a happy user of Resteasy + Jackson for Json processing.
Recently, I had the misfortune of attempting to serialize a basic String:
client.post(Entity.json("Test"));
if you call Jackson directly, it does the right thing:
mapper.writeValueAsString("Test") => "\"Test\""
However, much to my surprise, when sending it via JAX-RS client, it is written as a bare word without quotes -- and is rejected server-side.
After some debugging, I realized that both StringTextStar and JacksonJsonProvider were ending up with Priorities.USER and being seen as equivalent.
No good! So I changed my registration:
context.register(new JacksonJsonProvider(myMapper), Integer.MAX_VALUE);
I then proceeded to triumphantly ... observe the same test failure as before!
Dug quite a bit further in, and it seems that the selection process in MediaTypeMap$TypedEntryComparator
has the unfortunate property that it will select (via compareTypes) a *less priority* MessageBodyWriter if the type is a tighter bound on the Entity.
So in my case, I get
StringTextStar -> String.class@5000
JacksonJsonProvider -> Object.class(a)Integer.MAX_VALUE
and the TypedEntryComparator selects StringTextStar since String is-assignable to Object, despite my attempt at an ultimate priority registration.
How do I fix this? Preferably without removing StringTextStar entirely, as I'm sure that will break something else (reading error messages perhaps).
Thanks for any advice,
Steven
1 year, 3 months
Microprofile config
by Alvaro Arenas
Hi,
I am adding my project to a stream down wildfly v23 (withou microservices modules) and I use smallrye-config in my project. When adding my deployment with the microprofile configuration package incleded (for example "org.apache.geronimo.config:geronimo-config-impl:1.2.2") the souces in the file org.eclipse.microprofile.config.spi.ConfigSource get automatically added by wildfly but the implementation class is not found.
I get the following error
Caused by: java.lang.NoClassDefFoundError: Failed to link org/jboss/resteasy/microprofile/config/ServletConfigSource (Module "org.jboss.resteasy.resteasy-jaxrs" version 3.15.1.Final from local module loader @fc1522fa (finder: local module finder @4332406a (roots: /Users/alvarena/hki/keycloak/standalone/keycloak-13.0.0/modules,/Users/alvarena/hki/keycloak/standalone/keycloak-13.0.0/modules/system/layers/keycloak,/Users/alvarena/hki/keycloak/standalone/keycloak-13.0.0/modules/system/layers/base))): org.eclipse.microprofile.config.spi.ConfigSource
at java.lang.ClassLoader.defineClassImpl(Native Method)
at java.lang.ClassLoader.defineClassInternal(ClassLoader.java:398)
at java.lang.ClassLoader.defineClass(ClassLoader.java:359)
at org.jboss.modules.ModuleClassLoader.doDefineOrLoadClass(ModuleClassLoader.java:423)
at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:555)
at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:339)
at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:126)
at org.jboss.modules.Module.loadModuleClass(Module.java:753)
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:247)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:410)
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116)
at java.lang.Class.forNameImpl(Native Method)
at java.lang.Class.forName(Class.java:408)
at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:370)
at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
at java.lang.Iterable.forEach(Iterable.java:74)
at org.apache.geronimo.config.DefaultConfigBuilder.build(DefaultConfigBuilder.java:130)
at org.apache.geronimo.config.DefaultConfigProvider.getConfig(DefaultConfigProvider.java:62)
at org.apache.geronimo.config.DefaultConfigProvider.getConfig(DefaultConfigProvider.java:46)
at org.eclipse.microprofile.config.ConfigProvider.getConfig(ConfigProvider.java:93)
at org.apache.geronimo.config.cdi.ConfigExtension.validate(ConfigExtension.java:123)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.weld.injection.StaticMethodInjectionPoint.invoke(StaticMethodInjectionPoint.java:95)
... 26 more
I don't understand how the system is able to find the file org.eclipse.microprofile.config.spi.ConfigSource but not the implementation classes that are in the same package.
Any idea what could be wrong
Best regards,
Alvaro
1 year, 3 months
Migrating existing Rest Easy Project to SpringBoot
by Lloyd Fernandes
Team,
I am trying to integrate my existing project from RestEasy implementation to SpringBoot 2.x
My current project settings has two application classes(javax.ws.rs.core.Application): App1 and App2
Three Provider Classes: P1, P2 and P3
The providers are registered to the applications as follows:
App1 --> P1, P2
App2 --> P1, P3
Applications are registered by updating the singletons set in the Application Constructors of App1 and App2. Example:
public App1{ singletons.add(new P1()); singletons.add(new P2());}
I was referencing the RestEasy - SpringBootStarter :https://github.com/resteasy/resteasy-spring-boot/blob/main/mds/USAGE.md. Had the following questions after reading the description:
1. I do not see the use of such singletons recommended anymore. So how do I ensure, that the Providers are registered to the correct Application?
2. How do i convert the context param, filter-mapping, login-config, security constraint configurations defined in web.xml to the equivalent SpringBoot configurations that would work with Rest Easy.
3. What has more precedence the SpringBoot Security modules or the RestEasy security constraints?
2 years, 10 months
Re: How to show helpful error messages for malformed @QueryParam?
by James Perkins
Adding the list back as I dropped it by mistake.
On Tue, Jan 25, 2022 at 5:50 PM Arwin Tio <arwin.tio(a)hotmail.com> wrote:
> Hi James,
>
> Feel free to publish this back to the mailing list, if you'd like.
> Thanks for the example, I have some follow-up questions:
>
>
> - How does the class get hooked up to the rest of the framework? Is it
> through the @Provider annotation?
>
> Yes. The @Provider annotation is what registers it.
>
> - Do you need to have multiple ParamConverterProviders? i.e. one for
> for integers, strings, lists, enums, etc? If you want to handle multiple
> types as parameters
>
> There are some default providers for sure and I wouldn't suggest doing one
for each type. In most cases it should just work. In this case it's
allowing Enum's to be supported by passing the Enum.name(), Enum.toString()
or the ordinal value. It's more convenience than anything.
>
> - I see in your example that there is a clause if (!rawType.isEnum()) -
> does that mean that every single ParamConverterProvider is applied to every
> single parameter? If you have 100 providers, could this cause performance
> issues? Is there a way to associate a converter provider to a particular
> type?
>
> To my knowledge yes, each ParamConverterProvider is invoked on each
parameter. I would think if you have a lot that could impact performance.
There is no way that I'm aware of to associate a converter with a type.
However, returning null is the way to stop processing a
ParamConverterProvider.
>
> Thanks for the help,
>
> Arwin
>
> ------------------------------
> *From:* James Perkins <jperkins(a)redhat.com>
> *Sent:* January 25, 2022 5:13 PM
> *To:* Arwin Tio <arwin.tio(a)hotmail.com>
> *Subject:* Re: [resteasy] How to show helpful error messages for
> malformed @QueryParam?
>
> Hi Arwin,
> I meant to reply to the list, but I guess I just replied directly instead
> :) I apologize for that. I'll keep it private for now in case you don't
> want any of the information public.
>
> What you could use is a ParamConverter. Something like this may work
> https://gist.github.com/jamezp/aad75e83760f565f15f4f0b54e202620.
>
>
> On Tue, Jan 25, 2022 at 5:03 PM Arwin Tio <arwin.tio(a)hotmail.com> wrote:
>
> Hi James,
>
> Thanks for the reply. Sorry, there is a mistake in my example. In my
> particular case, I have an endpoint that takes a "status" enum:
>
> localhost:8080/api/v1/users?status=creating
>
> But when I use the wrong status, it will throw an exception:
>
> java.lang.IllegalArgumentException: No enum constant com.data.model.UserStatus.creating
> at java.base/java.lang.Enum.valueOf(Enum.java:273)
>
>
> But the client will only receive a 404, with no error message. What I was
> trying to say in the original email was, if number_param received something
> like a String:
>
> localhost:8080/api/v1/users?number_param=asdf
>
> Then it will also return a 404 as a client error, due to this exception
>
> Caused by: java.lang.NumberFormatException: For input string: "asdf"
> at java.base/java.lang.NumberFormatException.forInputString(NumberFormatException.java:67)
>
>
> What I am trying to figure out, is, instead of an opaque 404, I would like
> to set it up to return helpful error messages to the client, such as:
>
>
> - 'number_param' received 'asdf', expected a number/integer instead of
> a string
> - 'status' received 'creating', valid values are ['created',
> 'pending', 'complete']
>
>
> Thanks,
>
> Arwin
>
>
> ------------------------------
> *From:* James Perkins <jperkins(a)redhat.com>
> *Sent:* January 25, 2022 4:31 PM
> *To:* Arwin Tio <arwin.tio(a)hotmail.com>
> *Subject:* Re: [resteasy] How to show helpful error messages for
> malformed @QueryParam?
>
> Hello Arwin,
> Sorry for the late reply. What kind of argument is "123"? What I mean is
> it a linked to an enum or special value of some sort?
>
>
> On Fri, Jan 21, 2022 at 9:05 AM Arwin Tio <arwin.tio(a)hotmail.com> wrote:
>
> As I understand it, a malformed @QueryParam will return a 404 with no
> message. For example, localhost:8080/api/v1/users?number_param=123 will
> respond with 404. Apparently, this is due to the JAX-RS spec:
>
> ```
> 3.2 Fields and Bean Properties
>
> if the field or property is annotated with @MatrixParam, @QueryParam or
> @PathParam then an implementation MUST generate an instance of
> NotFoundException (404 status) that wraps the thrown exception and no entity
> ```
>
> I would like the modify this behavior to:
>
> 1. Return a 400 status code, as I believe 404 causes confusion for users
> (they will think the endpoint doesn't exist)
> 2. Show a helpful error message, for example "'123' is an invalid input
> for number_param, expected number"
>
> I have read that the way to do this is with the ExceptionMapper<E extends
> Throwable> interface. Is this true? And if so, which Exception E should I
> use? Is there something like a QueryParamException?
>
> If it matters, I am using RESTEasy with Quarkus.
>
> Thanks,
>
> Arwin
> _______________________________________________
> resteasy mailing list -- resteasy(a)lists.jboss.org
> To unsubscribe send an email to resteasy-leave(a)lists.jboss.org
>
>
>
> --
> James R. Perkins
> JBoss by Red Hat
>
>
>
> --
> James R. Perkins
> JBoss by Red Hat
>
--
James R. Perkins
JBoss by Red Hat
2 years, 10 months
How to show helpful error messages for malformed @QueryParam?
by Arwin Tio
As I understand it, a malformed @QueryParam will return a 404 with no message. For example, localhost:8080/api/v1/users?number_param=123 will respond with 404. Apparently, this is due to the JAX-RS spec:
```
3.2 Fields and Bean Properties
if the field or property is annotated with @MatrixParam, @QueryParam or @PathParam then an implementation MUST generate an instance of NotFoundException (404 status) that wraps the thrown exception and no entity
```
I would like the modify this behavior to:
1. Return a 400 status code, as I believe 404 causes confusion for users (they will think the endpoint doesn't exist)
2. Show a helpful error message, for example "'123' is an invalid input for number_param, expected number"
I have read that the way to do this is with the ExceptionMapper<E extends Throwable> interface. Is this true? And if so, which Exception E should I use? Is there something like a QueryParamException?
If it matters, I am using RESTEasy with Quarkus.
Thanks,
Arwin
2 years, 11 months
