Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-24435

MP OpenAPI - Loading static files bigger than 3MB fails since SmallRye OpenAPI 3.0.1 uses new SnakeYaml that sets a constraint

XMLWordPrintable

      CVE-2022-25857 was solved in SnakeYaml so that it now sets a default constraint of 3 MB when loading static files.

      WildFly 28 Beta - which is the base for EAP 8 GA and which currently uses SmallRye OpenAPI 3.0.1 since WFLY-17197 - is failing at loading files that are larger than such default value, since OpenApiProcessor does not provide any way to customize such limit when building a YAMLFactory and its related YAMLParser:

      &amp#27;[0m&amp#27;[31m22:31:25,836 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.undertow.host.default-server.default-host./big/openapi: org.jboss.msc.service.StartException in service org.wildfly.undertow.host.default-server.default-host./big/openapi: io.smallrye.openapi.runtime.OpenApiRuntimeException: com.fasterxml.jackson.dataformat.yaml.JacksonYAMLParseException: The incoming YAML document exceeds the limit: 3145728 code points.
       at [Source: (FileInputStream); line: 109594, column: 25]
      	at org.wildfly.clustering.service@28.0.0.Beta1-202301072046-b985cc92//org.wildfly.clustering.service.FunctionalService.start(FunctionalService.java:66)
      	at org.jboss.msc@1.5.0.Beta4//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1590)
      	at org.jboss.msc@1.5.0.Beta4//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1553)
      	at org.jboss.msc@1.5.0.Beta4//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1411)
      	at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
      	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
      	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
      	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
      	at java.base/java.lang.Thread.run(Thread.java:829)
      Caused by: io.smallrye.openapi.runtime.OpenApiRuntimeException: com.fasterxml.jackson.dataformat.yaml.JacksonYAMLParseException: The incoming YAML document exceeds the limit: 3145728 code points.
       at [Source: (FileInputStream); line: 109594, column: 25]
      	at io.smallrye.openapi//io.smallrye.openapi.runtime.OpenApiProcessor.modelFromStaticFile(OpenApiProcessor.java:103)
      	at org.wildfly.extension.microprofile.openapi-smallrye@28.0.0.Beta1-202301072046-b985cc92//org.wildfly.extension.microprofile.openapi.deployment.OpenAPIModelServiceConfigurator.get(OpenAPIModelServiceConfigurator.java:161)
      	at org.wildfly.extension.microprofile.openapi-smallrye@28.0.0.Beta1-202301072046-b985cc92//org.wildfly.extension.microprofile.openapi.deployment.OpenAPIModelServiceConfigurator.get(OpenAPIModelServiceConfigurator.java:90)
      	at org.wildfly.clustering.service@28.0.0.Beta1-202301072046-b985cc92//org.wildfly.clustering.service.FunctionalService.start(FunctionalService.java:63)
      	... 8 more
      Caused by: com.fasterxml.jackson.dataformat.yaml.JacksonYAMLParseException: The incoming YAML document exceeds the limit: 3145728 code points.
       at [Source: (FileInputStream); line: 109594, column: 25]
      	at com.fasterxml.jackson.dataformat.jackson-dataformat-yaml@2.13.4//com.fasterxml.jackson.dataformat.yaml.YAMLParser.nextToken(YAMLParser.java:409)
      	at com.fasterxml.jackson.core.jackson-core@2.13.4//com.fasterxml.jackson.core.JsonParser.nextFieldName(JsonParser.java:1038)
      	at com.fasterxml.jackson.core.jackson-databind@2.13.4.2//com.fasterxml.jackson.databind.deser.std.BaseNodeDeserializer._deserializeContainerNoRecursion(JsonNodeDeserializer.java:440)
      	at com.fasterxml.jackson.core.jackson-databind@2.13.4.2//com.fasterxml.jackson.databind.deser.std.JsonNodeDeserializer.deserialize(JsonNodeDeserializer.java:84)
      	at com.fasterxml.jackson.core.jackson-databind@2.13.4.2//com.fasterxml.jackson.databind.deser.std.JsonNodeDeserializer.deserialize(JsonNodeDeserializer.java:20)
      	at com.fasterxml.jackson.core.jackson-databind@2.13.4.2//com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:323)
      	at com.fasterxml.jackson.core.jackson-databind@2.13.4.2//com.fasterxml.jackson.databind.ObjectMapper._readTreeAndClose(ObjectMapper.java:4716)
      	at com.fasterxml.jackson.core.jackson-databind@2.13.4.2//com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:3056)
      	at io.smallrye.openapi//io.smallrye.openapi.runtime.io.OpenApiParser.parse(OpenApiParser.java:76)
      	at io.smallrye.openapi//io.smallrye.openapi.runtime.OpenApiProcessor.modelFromStaticFile(OpenApiProcessor.java:101)
      	... 11 more
      Caused by: org.yaml.snakeyaml.error.YAMLException: The incoming YAML document exceeds the limit: 3145728 code points.
      	at org.yaml.snakeyaml//org.yaml.snakeyaml.scanner.ScannerImpl.fetchMoreTokens(ScannerImpl.java:342)
      	at org.yaml.snakeyaml//org.yaml.snakeyaml.scanner.ScannerImpl.checkToken(ScannerImpl.java:263)
      	at org.yaml.snakeyaml//org.yaml.snakeyaml.parser.ParserImpl$ParseBlockMappingKey.produce(ParserImpl.java:662)
      	at org.yaml.snakeyaml//org.yaml.snakeyaml.parser.ParserImpl.peekEvent(ParserImpl.java:185)
      	at org.yaml.snakeyaml//org.yaml.snakeyaml.parser.ParserImpl.getEvent(ParserImpl.java:195)
      	at com.fasterxml.jackson.dataformat.jackson-dataformat-yaml@2.13.4//com.fasterxml.jackson.dataformat.yaml.YAMLParser.nextToken(YAMLParser.java:403)
      	... 20 more
      

      There's a draft fix to SmallRye OpenAPI, which is blocked until a new release of jackson-jackson-dataformats-text 2.14 is published.

            pferraro@redhat.com Paul Ferraro
            fburzigo Fabio Burzigotti
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: