resteasy XXE vulnerability
by Wang Veronica
Hi experts,
We use resteasy 3.0.6final, and XXE vulnerability was reported during penetration test.
Seems that 3.0.6final contains partial fix for XXE vulnerability, but need to set resteasy.document.expand.entity.references parameter to false explicitly. A more complete fix seems to have been done after 3.0.10.
We can upgrade to a more recent version, e.g. 3.1.2. Another option I am thinking is not to support XML Media type (we actually need to support json only). Is this a feasible approach to ultimately avoid XXE attack and any pointers to achieve this? (In our REST API code, we currently declare consume and produce annotations to support application/xml and application/json).
Is there a simple resteasy configuration to disable support of application/xml?
Thanks, Veronica
2 weeks, 3 days
RestEasy + Spring Boot + Swagger2
by Prabhakar, Abhijith
Hi,
We are building a Spring Boot application with RESTEasy integration. We
define our contract using Swagger2/OpenAPI specification and generate
JAX-RS resources using https://github.com/swagger-api/swagger-codegen.
To integrate Spring boot with RESTEasy we use
https://github.com/paypal/resteasy-spring-boot starter. Swagger
Specification provides a property where `basePath` for the application
can be defined
(https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#...).
Codegen uses this property to annotate Resource class with @Path
annotation.
Now we want to host api specification(static json files) which in turn
is parsed to host swagger-ui.html. We would like to host these static
resources as part of the application. Issue is that Spring Boot
RestEasy starter uses ServletContextListener and it is mapped to "/*"
URL pattern, if you don't define Application class with
@ApplicationConfig. This makes it impossible to host any static
resources. Same issue exists when I tried to add Spring Boot Actuator
as well. This is not an issue if I add Application class and bound REST
resources to different namespace other than "/*". But we would like to
follow Swagger Spec and define everything including URL in specification
rather than Application. Please let me know if there is something I am
missing here or is there any workaround?
Thanks in advance
Abhi
7 years, 11 months
