Skip to content

Commit

Permalink
WINDUPRULE-314, WINDUPRULE--315,WINDUPRULE-316 Resteasy new rules (#282
Browse files Browse the repository at this point in the history 
…) (#284)

* WINDUPRULE-314: adding rule for Resteasy Yaml provider

* WINDUPRULE-316: adding rule for Resteasy Serializable Provider

* WINDUPRULE-315: added new rule for default charset in text response

* WINDUPRULE-307: fixes after review

(cherry picked from commit b15ba2c)
  • Loading branch information
@mrizzi
mrizzi committed Oct 13, 2017
1 parent c153002 commit 5d751ea
Show file tree
Hide file tree
Showing 3 changed files with 174 additions and 0 deletions.
95 changes: 95 additions & 0 deletions rules-reviewed/eap7/eap6/resteasy.windup.xml
View file
Expand Up @@ -737,6 +737,101 @@
</hint>
</perform>
</rule>
<rule id="resteasy-eap6-000140">
<when>
<javaclass references="javax.ws.rs.Produces">
<location>ANNOTATION</location>
<annotation-literal name="value" pattern="{*}yaml"/>
</javaclass>
</when>
<perform>
<iteration>
<when>
<not>
<file-exists filename="javax.ws.rs.ext.Providers"/>
</not>
</when>
<perform>
<hint title="Resteasy Yaml Provider is deprecated and disabled by default" effort="3" category-id="mandatory">
<message>The resteasy-yaml-provider module is not recommended to use due security issue in SnakeYAML library used by RESTEasy for unmarshaling.
If you would like to use YAML Resteasy Provider even it is not recommended,
you need to add the SnakeYAML library (Maven dependency) into your application and enable it by creating file `META-INF/services/javax.ws.rs.ext.Providers` with line `org.jboss.resteasy.plugins.providers.YamlProvider` in that file and your application.
</message>
<link title="Yaml unmarshalling vulnerable to RCE" href="https://bugzilla.redhat.com/show_bug.cgi?id=1400644"/>
<link title="RESTEasy YAML Provider Setting Changes"
href="https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.beta/html-single/migration_guide/#migrate_resteasy_yaml_provider_setting_changes"/>
<link title="RESTEasy YAML Provider"
href="https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html-single/developing_web_services_applications/#jaxrs_yaml_provider"/>
<tag>resteasy</tag>
<tag>yaml</tag>
</hint>
</perform>
</iteration>
</perform>
</rule>
<rule id="resteasy-eap6-000141">
<when>
<or>
<javaclass references="javax.ws.rs.Produces">
<location>ANNOTATION</location>
<annotation-literal name="value" pattern="application/x-java-serialized-object"/>
</javaclass>
<javaclass references="javax.ws.rs.Consumes">
<location>ANNOTATION</location>
<annotation-literal name="value" pattern="application/x-java-serialized-object"/>
</javaclass>
</or>
</when>
<perform>
<iteration>
<when>
<not>
<file-exists filename="javax.ws.rs.ext.Providers"/>
</not>
</when>
<perform>
<hint title="Resteasy SerializableProvider is disabled by default" effort="1" category-id="mandatory">
<message>Deserializing Java objects from untrusted sources is not safe. For this reason,
the `org.jboss.resteasy.plugins.providers.SerializableProvider` class is disabled by default, and it is not recommended to use this provider.
If you need to enable it even against the recommendation, create or update file `META-INF/services/javax.ws.rs.ext.Providers` with adding line with `org.jboss.resteasy.plugins.providers.SerializableProvider` string.
</message>
<link title="RESTEasy SerializableProvider"
href="https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.beta/html-single/migration_guide/#migrate_resteasy_serializableprovider"/>
<link href="http://docs.jboss.org/resteasy/docs/3.1.2.Final/javadocs/org/jboss/resteasy/plugins/providers/SerializableProvider.html" title="SerializableProvider Java API documentation"/>
<tag>resteasy</tag>
</hint>
</perform>
</iteration>
</perform>
</rule>
<rule id="resteasy-eap6-000142">
<when>
<or>
<javaclass references="javax.ws.rs.Produces">
<location>ANNOTATION</location>
<annotation-literal name="value" pattern="application/xml{*}"/>
</javaclass>
<javaclass references="javax.ws.rs.Produces">
<location>ANNOTATION</location>
<annotation-literal name="value" pattern="text/{*}"/>
</javaclass>
</or>
</when>
<perform>
<hint title="RESTEasy Text default charset response changed" effort="1" category-id="optional">
<message>RESTEasy fixes the issue when it doesn't set/add correctly character set meta data specified in JAX-RS specification. Therefore UTF-8 as the character set for text media types is set by default.
This behavior results in adding `charset=UTF-8` string to the returned content-type header when the resource method returns a `text/*` or `application/xml*` media type without an explicit charset.
The behavior is controlled by `resteasy.add.charset` parameter which is set to `true` by default and you can customize the `resteasy.add.charset` parameter to `false` in _web.xml_'s `context-param` element
in case of wanting to keep previous behavior.
</message>
<link title="RESTEasy Default Charset UTF-8 in Content-Type Header"
href="https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.beta/html/migration_guide/application_migration_changes#migrate_resteasy_default_charset_utf8_in_content_type_header"/>
<link href="http://docs.jboss.org/resteasy/docs/3.1.4.Final/userguide/html_single/index.html#Text_media_types" title="RESTEasy Text media types and character sets"/>
<tag>resteasy</tag>
<tag>charset</tag>
</hint>
</perform>
</rule>
</rules>
</ruleset>

45 changes: 45 additions & 0 deletions rules-reviewed/eap7/eap6/tests/data/data-resteasy/YamlResource.java
View file
@@ -0,0 +1,45 @@
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;

@Path("/yaml")
public class YamlResource {

@GET
@Produces("text/x-yaml")
public MyObject getMyObject() {
return createMyObject();
}

@GET
@Produces("text/yaml")
public MyObject getMyObject1() {
return createMyObject();
}

@GET
@Produces("application/x-yaml")
public MyObject getMyObject2() {
return createMyObject();
}


@GET
@Produces("application/x-java-serialized-object")
public MyObject getMyObject4() {
return createMyObject();
}

@GET
@Produces("text/plain")
public String getResult() {
return "";
}

@GET
@Produces("application/xml")
public String getResult() {
return "";
}
}
34 changes: 34 additions & 0 deletions rules-reviewed/eap7/eap6/tests/resteasy.windup.test.xml
View file
Expand Up @@ -469,6 +469,40 @@
<fail message="OAuthValidator#validateMessage hint not found!" />
</perform>
</rule>
<rule id="resteasy-eap6-000140-test">
<when>
<not>
<iterable-filter size="3">
<hint-exists message="The resteasy-yaml-provider module.*" />
</iterable-filter>
</not>
</when>
<perform>
<fail message="Resteasy Yaml test failed, there are not found 3 hints!" />
</perform>
</rule>
<rule id="resteasy-eap6-000141-test">
<when>
<not>
<hint-exists message="Deserializing Java objects from untrusted sources is not safe.*" />
</not>
</when>
<perform>
<fail message="Resteasy Serializable Provider test failed, hint is not found!" />
</perform>
</rule>
<rule id="resteasy-eap6-000142-test">
<when>
<not>
<iterable-filter size="4">
<hint-exists message="RESTEasy fixes the issue when it doesn't set/add correctly character set meta data.*" />
</iterable-filter>
</not>
</when>
<perform>
<fail message="Resteasy default charset test failed, hint is not found!" />
</perform>
</rule>
</rules>
</ruleset>
</ruletest>

0 comments on commit 5d751ea

Please sign in to comment.