We use resteasy 3.0.6final, and XXE vulnerability was reported during penetration test.
Seems that 3.0.6final contains partial fix for XXE vulnerability, but need to set resteasy.document.expand.entity.references parameter to false explicitly. A more complete fix seems to have been done after 3.0.10.
We can upgrade to a more recent version, e.g. 3.1.2. Another option I am thinking is not to support XML Media type (we actually need to support json only). Is this a feasible approach to ultimately avoid XXE attack and any pointers to achieve this? (In our REST API code, we currently declare consume and produce annotations to support application/xml and application/json).
Is there a simple resteasy configuration to disable support of application/xml?
We are building a Spring Boot application with RESTEasy integration. We
define our contract using Swagger2/OpenAPI specification and generate
JAX-RS resources using https://github.com/swagger-api/swagger-codegen.
To integrate Spring boot with RESTEasy we use
https://github.com/paypal/resteasy-spring-boot starter. Swagger
Specification provides a property where `basePath` for the application
can be defined
Codegen uses this property to annotate Resource class with @Path
Now we want to host api specification(static json files) which in turn
is parsed to host swagger-ui.html. We would like to host these static
resources as part of the application. Issue is that Spring Boot
RestEasy starter uses ServletContextListener and it is mapped to "/*"
URL pattern, if you don't define Application class with
@ApplicationConfig. This makes it impossible to host any static
resources. Same issue exists when I tried to add Spring Boot Actuator
as well. This is not an issue if I add Application class and bound REST
resources to different namespace other than "/*". But we would like to
follow Swagger Spec and define everything including URL in specification
rather than Application. Please let me know if there is something I am
missing here or is there any workaround?
Thanks in advance