We use resteasy 3.0.6final, and XXE vulnerability was reported during penetration test.
Seems that 3.0.6final contains partial fix for XXE vulnerability, but need to set resteasy.document.expand.entity.references parameter to false explicitly. A more complete fix seems to have been done after 3.0.10.
We can upgrade to a more recent version, e.g. 3.1.2. Another option I am thinking is not to support XML Media type (we actually need to support json only). Is this a feasible approach to ultimately avoid XXE attack and any pointers to achieve this? (In our REST API code, we currently declare consume and produce annotations to support application/xml and application/json).
Is there a simple resteasy configuration to disable support of application/xml?
Recently due to update of resteasy-client from 3.0.1.Final to 3.6.3.Final
we faced failures to process our spring mvc controller at '/' path.
After some debugging I found out the reason:
1) resteasy-client transitively depends on resteasy-jaxrs
2) resteasy-jaxrs (at least since 3.0.20.final)
as a servlet with value = '')
Is it an expected behaviour that *client *dependency register a servlet?
Are there any ways to disable it?
Thanks for advice!
Hi Resteasy users, [ apologies for the re-post, sent from wrong email the first time ]
I'm a happy user of Resteasy + Jackson for Json processing.
Recently, I had the misfortune of attempting to serialize a basic String:
if you call Jackson directly, it does the right thing:
mapper.writeValueAsString("Test") => "\"Test\""
However, much to my surprise, when sending it via JAX-RS client, it is written as a bare word without quotes -- and is rejected server-side.
After some debugging, I realized that both StringTextStar and JacksonJsonProvider were ending up with Priorities.USER and being seen as equivalent.
No good! So I changed my registration:
context.register(new JacksonJsonProvider(myMapper), Integer.MAX_VALUE);
I then proceeded to triumphantly ... observe the same test failure as before!
Dug quite a bit further in, and it seems that the selection process in MediaTypeMap$TypedEntryComparator
has the unfortunate property that it will select (via compareTypes) a *less priority* MessageBodyWriter if the type is a tighter bound on the Entity.
So in my case, I get
StringTextStar -> String.class@5000
JacksonJsonProvider -> Object.class(a)Integer.MAX_VALUE
and the TypedEntryComparator selects StringTextStar since String is-assignable to Object, despite my attempt at an ultimate priority registration.
How do I fix this? Preferably without removing StringTextStar entirely, as I'm sure that will break something else (reading error messages perhaps).
Thanks for any advice,