packages/resteasy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-20289

Browse Source
This commit is contained in:
lingsheng 2021-04-22 16:46:51 +08:00
parent 948408d75f
commit 2fd40fa1a7
2 changed files with 127 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
CVE-2021-20289.patch Normal file
View File

@ -0,0 +1,121 @@
From 8dbcc5d69b2c077b1174e8cedac20956903e101b Mon Sep 17 00:00:00 2001
From: lingsheng <lingsheng@huawei.com>
Date: Wed, 21 Apr 2021 11:41:47 +0800
Subject: [PATCH] [RESTEASY-2843] Do not add the target type to the thrown
exception. Instead log it as a debug message.
Fix CVE-2021-20289, backport from https://github.com/resteasy/Resteasy/commit/358777a
---
.../core/StringParameterInjector.java | 19 +++++++++++++------
.../resteasy_jaxrs/i18n/LogMessages.java | 4 ++++
.../resteasy_jaxrs/i18n/Messages.java | 4 ++--
3 files changed, 19 insertions(+), 8 deletions(-)
diff --git a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java
index e50ba88..b7178f6 100755
--- a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java
+++ b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java
@@ -1,6 +1,7 @@
package org.jboss.resteasy.core;
import org.jboss.resteasy.annotations.StringParameterUnmarshallerBinder;
+import org.jboss.resteasy.resteasy_jaxrs.i18n.LogMessages;
import org.jboss.resteasy.resteasy_jaxrs.i18n.Messages;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.jboss.resteasy.spi.StringConverter;
@@ -296,7 +297,8 @@ public class StringParameterInjector
}
catch (Exception e)
{
- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e);
+ LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target);
+ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e);
}
if (paramConverter != null)
{
@@ -322,11 +324,13 @@ public class StringParameterInjector
}
catch (InstantiationException e)
{
- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e);
+ LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target);
+ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e);
}
catch (IllegalAccessException e)
{
- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e);
+ LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target);
+ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e);
}
catch (InvocationTargetException e)
{
@@ -335,7 +339,8 @@ public class StringParameterInjector
{
throw ((WebApplicationException)targetException);
}
- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), targetException);
+ LogMessages.LOGGER.unableToExtractParameter(targetException, getParamSignature(), strVal, target);
+ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), targetException);
}
}
else if (valueOf != null)
@@ -346,7 +351,8 @@ public class StringParameterInjector
}
catch (IllegalAccessException e)
{
- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e);
+ LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target);
+ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e);
}
catch (InvocationTargetException e)
{
@@ -355,7 +361,8 @@ public class StringParameterInjector
{
throw ((WebApplicationException)targetException);
}
- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), targetException);
+ LogMessages.LOGGER.unableToExtractParameter(targetException, getParamSignature(), strVal, target);
+ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), targetException);
}
}
return null;
diff --git a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/LogMessages.java b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/LogMessages.java
index a1c82da..265e632 100644
--- a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/LogMessages.java
+++ b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/LogMessages.java
@@ -1,5 +1,6 @@
package org.jboss.resteasy.resteasy_jaxrs.i18n;
+import java.lang.reflect.AccessibleObject;
import java.net.URL;
import javax.ws.rs.core.MediaType;
@@ -209,6 +210,9 @@ public interface LogMessages extends BasicLogger
@Message(id = BASE + 335, value = "Unable to retrieve config: enableSecureProcessingFeature defaults to true")
void unableToRetrieveConfigSecure();
+ @LogMessage(level = Level.DEBUG)
+ @Message("Unable to extract parameter from http request: %s value is '%s' for %s")
+ void unableToExtractParameter(@Cause Throwable cause, String paramSignature, String strVal, AccessibleObject target);
///////////////////////////////////////////////////////////////////////////////////////////////////////////
// TRACE //
diff --git a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/Messages.java b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/Messages.java
index 8a3ca94..472fa30 100644
--- a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/Messages.java
+++ b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/Messages.java
@@ -549,8 +549,8 @@ public interface Messages
@Message(id = BASE + 865, value = "Unable to determine base class from Type")
String unableToDetermineBaseClass();
- @Message(id = BASE + 870, value = "Unable to extract parameter from http request: {0} value is '{1}' for {2}", format=Format.MESSAGE_FORMAT)
- String unableToExtractParameter(String paramSignature, String strVal, AccessibleObject target);
+ @Message(id = BASE + 870, value = "Unable to extract parameter from http request: %s value is '%s'")
+ String unableToExtractParameter(String paramSignature, String strVal);
@Message(id = BASE + 875, value = "Unable to find a constructor that takes a String param or a valueOf() or fromString() method for {0} on {1} for basetype: {2}", format=Format.MESSAGE_FORMAT)
String unableToFindConstructor(String paramSignature, AccessibleObject target, String className);
--
2.23.0

7
resteasy.spec
View File

@ -2,7 +2,7 @@
%global namedversion %{version}%{namedreltag}
Name: resteasy
Version: 3.0.19
Release: 2
Release: 3
Summary: Framework for RESTful Web services and Java applications
License: ASL 2.0 and CDDL
URL: https://github.com/resteasy/Resteasy/
@ -10,6 +10,7 @@ Source0: https://github.com/resteasy/Resteasy/archive/%{namedversion
Patch0: resteasy-3.0.19-Mime4j-0.7.2-support.patch
Patch1: resteasy-3.0.19-port-resteasy-netty-to-netty-3.10.6.patch
Patch2: CVE-2016-9606.patch
Patch3: CVE-2021-20289.patch
BuildArch: noarch
BuildRequires: maven-local mvn(com.beust:jcommander) mvn(com.fasterxml:classmate)
BuildRequires: mvn(com.fasterxml.jackson.core:jackson-annotations)
@ -196,6 +197,7 @@ find -name '*.jar' -print -delete
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%pom_disable_module resteasy-spring jaxrs
%pom_disable_module fastinfoset jaxrs/providers
%pom_disable_module examples jaxrs
@ -330,6 +332,9 @@ done
%license jaxrs/License.html
%changelog
* Thu Apr 22 2021 lingsheng <lingsheng@huawei.com> - 3.0.19-3
- fix CVE-2021-20289
* Fri Jan 29 2021 wangxiao <wangxiao65@huawe.com> - 3.0.19-2
- fix CVE-2016-9606