From 5d751ea03353a9885a0d8e7363dfd002ec0d735c Mon Sep 17 00:00:00 2001
From: Marco Rizzi <mrizzi@users.noreply.github.com>
Date: Fri, 13 Oct 2017 11:13:09 +0200
Subject: [PATCH] WINDUPRULE-314, WINDUPRULE--315,WINDUPRULE-316 Resteasy new
 rules (#282) (#284)

* WINDUPRULE-314: adding rule for Resteasy Yaml provider

* WINDUPRULE-316: adding rule for Resteasy Serializable Provider

* WINDUPRULE-315: added new rule for default charset in text response

* WINDUPRULE-307: fixes after review

(cherry picked from commit b15ba2c3dcda819d180d0e5bd52cd9534e7f5a43)
---
 rules-reviewed/eap7/eap6/resteasy.windup.xml  | 95 +++++++++++++++++++
 .../data/data-resteasy/YamlResource.java      | 45 +++++++++
 .../eap7/eap6/tests/resteasy.windup.test.xml  | 34 +++++++
 3 files changed, 174 insertions(+)
 create mode 100644 rules-reviewed/eap7/eap6/tests/data/data-resteasy/YamlResource.java

diff --git a/rules-reviewed/eap7/eap6/resteasy.windup.xml b/rules-reviewed/eap7/eap6/resteasy.windup.xml
index 8d1aec76f..a66438950 100644
--- a/rules-reviewed/eap7/eap6/resteasy.windup.xml
+++ b/rules-reviewed/eap7/eap6/resteasy.windup.xml
@@ -737,6 +737,101 @@
                 </hint>
             </perform>
         </rule>
+        <rule id="resteasy-eap6-000140">
+            <when>
+                <javaclass references="javax.ws.rs.Produces">
+                    <location>ANNOTATION</location>
+                    <annotation-literal name="value" pattern="{*}yaml"/>
+                </javaclass>
+            </when>
+            <perform>
+                <iteration>
+                    <when>
+                        <not>
+                            <file-exists filename="javax.ws.rs.ext.Providers"/>
+                        </not>
+                    </when> 
+                    <perform>
+                        <hint title="Resteasy Yaml Provider is deprecated and disabled by default" effort="3" category-id="mandatory">
+                            <message>The resteasy-yaml-provider module is not recommended to use due security issue in SnakeYAML library used by RESTEasy for unmarshaling. 
+                            If you would like to use YAML Resteasy Provider even it is not recommended, 
+                            you need to add the SnakeYAML library (Maven dependency) into your application and enable it by creating file `META-INF/services/javax.ws.rs.ext.Providers` with line `org.jboss.resteasy.plugins.providers.YamlProvider` in that file and your application.
+                        </message>
+                        <link title="Yaml unmarshalling vulnerable to RCE" href="https://bugzilla.redhat.com/show_bug.cgi?id=1400644"/>
+                            <link title="RESTEasy YAML Provider Setting Changes"
+                                href="https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.beta/html-single/migration_guide/#migrate_resteasy_yaml_provider_setting_changes"/>
+                            <link title="RESTEasy YAML Provider"
+                                href="https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html-single/developing_web_services_applications/#jaxrs_yaml_provider"/>
+                            <tag>resteasy</tag>
+                            <tag>yaml</tag>
+                        </hint>
+                    </perform>
+                </iteration>
+            </perform>
+        </rule>
+        <rule id="resteasy-eap6-000141">
+            <when>
+                <or>
+                    <javaclass references="javax.ws.rs.Produces">
+                        <location>ANNOTATION</location>
+                        <annotation-literal name="value" pattern="application/x-java-serialized-object"/>
+                    </javaclass>
+                    <javaclass references="javax.ws.rs.Consumes">
+                        <location>ANNOTATION</location>
+                        <annotation-literal name="value" pattern="application/x-java-serialized-object"/>
+                    </javaclass>
+                </or>
+            </when>
+            <perform>
+                <iteration>
+                    <when>
+                        <not>
+                            <file-exists filename="javax.ws.rs.ext.Providers"/>
+                        </not>
+                    </when> 
+                    <perform>
+                        <hint title="Resteasy SerializableProvider is disabled by default" effort="1" category-id="mandatory">
+                            <message>Deserializing Java objects from untrusted sources is not safe. For this reason, 
+                            the `org.jboss.resteasy.plugins.providers.SerializableProvider` class is disabled by default, and it is not recommended to use this provider. 
+                            If you need to enable it even against the recommendation, create or update file `META-INF/services/javax.ws.rs.ext.Providers` with adding line with `org.jboss.resteasy.plugins.providers.SerializableProvider` string.
+                            </message>
+                            <link title="RESTEasy SerializableProvider"
+                                href="https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.beta/html-single/migration_guide/#migrate_resteasy_serializableprovider"/>
+                            <link href="http://docs.jboss.org/resteasy/docs/3.1.2.Final/javadocs/org/jboss/resteasy/plugins/providers/SerializableProvider.html" title="SerializableProvider Java API documentation"/>
+                            <tag>resteasy</tag>
+                        </hint>
+                    </perform>
+                </iteration>
+            </perform>
+        </rule>
+        <rule id="resteasy-eap6-000142">
+            <when>
+                <or>
+                    <javaclass references="javax.ws.rs.Produces">
+                        <location>ANNOTATION</location>
+                        <annotation-literal name="value" pattern="application/xml{*}"/>
+                    </javaclass>
+                    <javaclass references="javax.ws.rs.Produces">
+                        <location>ANNOTATION</location>
+                        <annotation-literal name="value" pattern="text/{*}"/>
+                    </javaclass>
+                </or>
+            </when>
+            <perform>
+                <hint title="RESTEasy Text default charset response changed" effort="1" category-id="optional">
+                    <message>RESTEasy fixes the issue when it doesn't set/add correctly character set meta data specified in JAX-RS specification. Therefore UTF-8 as the character set for text media types is set by default.
+                    This behavior results in adding `charset=UTF-8` string to the returned content-type header when the resource method returns a `text/*` or `application/xml*` media type without an explicit charset.
+                    The behavior is controlled by `resteasy.add.charset` parameter which is set to `true` by default and you can customize the `resteasy.add.charset` parameter to `false` in _web.xml_'s `context-param` element 
+                    in case of wanting to keep previous behavior.
+                    </message>
+                    <link title="RESTEasy Default Charset UTF-8 in Content-Type Header"
+                        href="https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.beta/html/migration_guide/application_migration_changes#migrate_resteasy_default_charset_utf8_in_content_type_header"/>
+                    <link href="http://docs.jboss.org/resteasy/docs/3.1.4.Final/userguide/html_single/index.html#Text_media_types" title="RESTEasy Text media types and character sets"/>
+                    <tag>resteasy</tag>
+                    <tag>charset</tag>
+                </hint>
+            </perform>
+        </rule>
     </rules>
 </ruleset>
 
diff --git a/rules-reviewed/eap7/eap6/tests/data/data-resteasy/YamlResource.java b/rules-reviewed/eap7/eap6/tests/data/data-resteasy/YamlResource.java
new file mode 100644
index 000000000..906522e6b
--- /dev/null
+++ b/rules-reviewed/eap7/eap6/tests/data/data-resteasy/YamlResource.java
@@ -0,0 +1,45 @@
+import javax.ws.rs.Consumes;
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+
+@Path("/yaml")
+public class YamlResource {
+
+  @GET
+  @Produces("text/x-yaml")
+  public MyObject getMyObject() {
+    return createMyObject();
+  }
+  
+  @GET
+  @Produces("text/yaml")
+  public MyObject getMyObject1() {
+    return createMyObject();
+  }
+  
+  @GET
+  @Produces("application/x-yaml")
+  public MyObject getMyObject2() {
+    return createMyObject();
+  }
+
+
+  @GET
+  @Produces("application/x-java-serialized-object")
+  public MyObject getMyObject4() {
+    return createMyObject();
+  }
+
+  @GET
+  @Produces("text/plain")
+  public String getResult() {
+      return "";
+  }
+
+  @GET
+  @Produces("application/xml")
+  public String getResult() {
+      return "";
+  }
+}
\ No newline at end of file
diff --git a/rules-reviewed/eap7/eap6/tests/resteasy.windup.test.xml b/rules-reviewed/eap7/eap6/tests/resteasy.windup.test.xml
index f8375947a..f1cb81cfb 100644
--- a/rules-reviewed/eap7/eap6/tests/resteasy.windup.test.xml
+++ b/rules-reviewed/eap7/eap6/tests/resteasy.windup.test.xml
@@ -469,6 +469,40 @@
                     <fail message="OAuthValidator#validateMessage hint not found!" />
                 </perform>
             </rule>
+            <rule id="resteasy-eap6-000140-test">
+                <when>
+                    <not>
+                        <iterable-filter size="3">
+                            <hint-exists message="The resteasy-yaml-provider module.*" />
+                        </iterable-filter>
+                    </not>
+                </when>
+                <perform>
+                    <fail message="Resteasy Yaml test failed, there are not found 3 hints!" />
+                </perform>
+            </rule>
+            <rule id="resteasy-eap6-000141-test">
+                <when>
+                    <not>
+                        <hint-exists message="Deserializing Java objects from untrusted sources is not safe.*" />
+                    </not>
+                </when>
+                <perform>
+                    <fail message="Resteasy Serializable Provider test failed, hint is not found!" />
+                </perform>
+            </rule>
+            <rule id="resteasy-eap6-000142-test">
+                <when>
+                    <not>
+                        <iterable-filter size="4">
+                            <hint-exists message="RESTEasy fixes the issue when it doesn't set/add correctly character set meta data.*" />
+                        </iterable-filter>
+                    </not>
+                </when>
+                <perform>
+                    <fail message="Resteasy default charset test failed, hint is not found!" />
+                </perform>
+            </rule>
         </rules>
     </ruleset>
 </ruletest>