packages/resteasy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
resteasy/CVE-2021-20289.patch
lingsheng 2fd40fa1a7 fix CVE-2021-20289
2021-04-22 16:46:51 +08:00

122 lines
7.0 KiB
Diff
Raw Blame History

From 8dbcc5d69b2c077b1174e8cedac20956903e101b Mon Sep 17 00:00:00 2001
From: lingsheng <lingsheng@huawei.com>
Date: Wed, 21 Apr 2021 11:41:47 +0800
Subject: [PATCH] [RESTEASY-2843] Do not add the target type to the thrown
exception. Instead log it as a debug message.
Fix CVE-2021-20289, backport from https://github.com/resteasy/Resteasy/commit/358777a
---
.../core/StringParameterInjector.java | 19 +++++++++++++------
.../resteasy_jaxrs/i18n/LogMessages.java | 4 ++++
.../resteasy_jaxrs/i18n/Messages.java | 4 ++--
3 files changed, 19 insertions(+), 8 deletions(-)
diff --git a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java
index e50ba88..b7178f6 100755
--- a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java
+++ b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java
@@ -1,6 +1,7 @@
package org.jboss.resteasy.core;
import org.jboss.resteasy.annotations.StringParameterUnmarshallerBinder;
+import org.jboss.resteasy.resteasy_jaxrs.i18n.LogMessages;
import org.jboss.resteasy.resteasy_jaxrs.i18n.Messages;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.jboss.resteasy.spi.StringConverter;
@@ -296,7 +297,8 @@ public class StringParameterInjector
}
catch (Exception e)
{
- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e);
+ LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target);
+ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e);
}
if (paramConverter != null)
{
@@ -322,11 +324,13 @@ public class StringParameterInjector
}
catch (InstantiationException e)
{
- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e);
+ LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target);
+ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e);
}
catch (IllegalAccessException e)
{
- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e);
+ LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target);
+ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e);
}
catch (InvocationTargetException e)
{
@@ -335,7 +339,8 @@ public class StringParameterInjector
{
throw ((WebApplicationException)targetException);
}
- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), targetException);
+ LogMessages.LOGGER.unableToExtractParameter(targetException, getParamSignature(), strVal, target);
+ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), targetException);
}
}
else if (valueOf != null)
@@ -346,7 +351,8 @@ public class StringParameterInjector
}
catch (IllegalAccessException e)
{
- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e);
+ LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target);
+ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e);
}
catch (InvocationTargetException e)
{
@@ -355,7 +361,8 @@ public class StringParameterInjector
{
throw ((WebApplicationException)targetException);
}
- throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), targetException);
+ LogMessages.LOGGER.unableToExtractParameter(targetException, getParamSignature(), strVal, target);
+ throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), targetException);
}
}
return null;
diff --git a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/LogMessages.java b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/LogMessages.java
index a1c82da..265e632 100644
--- a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/LogMessages.java
+++ b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/LogMessages.java
@@ -1,5 +1,6 @@
package org.jboss.resteasy.resteasy_jaxrs.i18n;
+import java.lang.reflect.AccessibleObject;
import java.net.URL;
import javax.ws.rs.core.MediaType;
@@ -209,6 +210,9 @@ public interface LogMessages extends BasicLogger
@Message(id = BASE + 335, value = "Unable to retrieve config: enableSecureProcessingFeature defaults to true")
void unableToRetrieveConfigSecure();
+ @LogMessage(level = Level.DEBUG)
+ @Message("Unable to extract parameter from http request: %s value is '%s' for %s")
+ void unableToExtractParameter(@Cause Throwable cause, String paramSignature, String strVal, AccessibleObject target);
///////////////////////////////////////////////////////////////////////////////////////////////////////////
// TRACE //
diff --git a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/Messages.java b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/Messages.java
index 8a3ca94..472fa30 100644
--- a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/Messages.java
+++ b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/Messages.java
@@ -549,8 +549,8 @@ public interface Messages
@Message(id = BASE + 865, value = "Unable to determine base class from Type")
String unableToDetermineBaseClass();
- @Message(id = BASE + 870, value = "Unable to extract parameter from http request: {0} value is '{1}' for {2}", format=Format.MESSAGE_FORMAT)
- String unableToExtractParameter(String paramSignature, String strVal, AccessibleObject target);
+ @Message(id = BASE + 870, value = "Unable to extract parameter from http request: %s value is '%s'")
+ String unableToExtractParameter(String paramSignature, String strVal);
@Message(id = BASE + 875, value = "Unable to find a constructor that takes a String param or a valueOf() or fromString() method for {0} on {1} for basetype: {2}", format=Format.MESSAGE_FORMAT)
String unableToFindConstructor(String paramSignature, AccessibleObject target, String className);
--
2.23.0
Reference in New Issue View Git Blame Copy Permalink