Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-1103

Resteasy secure processing to be turn on by default to apply entity expansion limit

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 3.0.8.Final
    • Fix Version/s: 3.0.9.Final
    • Component/s: jaxrs
    • Labels:
      None

      Description

      TestXXESecureProcessing testcase fails on the following tests:
      Failed tests: testXmlRootElementWithExternalExpansionBig(org.jboss.resteasy.test.xxe.TestXXESecureProcessing): expected:<400> but was:<200>
      testXmlRootElementDefaultBig(org.jboss.resteasy.test.xxe.TestXXESecureProcessing): expected:<400> but was:<200>
      testXmlRootElementWithoutExternalExpansionBig(org.jboss.resteasy.test.xxe.TestXXESecureProcessing): expected:<400> but was:<200>

      How reproducible:
      always

      Steps to Reproduce:
      1. git clone https://github.com/resteasy/Resteasy.git resteasy-ts; cd resteasy-ts
      2. uncomment xercesImpl dependency in resteasy-jaxb-provider project pom
      3. mvn clean verify -fn -pl :resteasy-jaxb-provider,:resteasy-test-tjws,:tjws -Dtest=TestXXESecureProcessing

      Actual results:
      The response is 200 (OK) instead of

      Expected results:
      status: 400
      Result: <HTML><HEAD><TITLE>400 javax.xml.bind.UnmarshalException</TITLE></HEAD><BODY BGCOLOR="#D1E9FE"><H2>400 javax.xml.bind.UnmarshalException</H2><PRE>

      • with linked exception:
        [org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; JAXP00010001: The parser has encountered more than "64000" entity expansions in this document; this is the limit imposed by the JDK.]</PRE><HR><ADDRESS><A HREF="http://tjws.sourceforge.net">D. Rogatkin's TJWS based on Acme.Serve Version 1.70, $Revision: 1.194 $</A></ADDRESS></BODY></HTML>

      Additional info:
      The tests fails on any platform, with xercesImpl project dependency defined. It fails with xerces:xercesImpl:2.9.1-redhat-4 provided by EAP and also with xerces:xercesImpl:2.9.1 upstream dependecy.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  ron_sigal Ronald Sigal
                  Reporter:
                  kanovotn Katerina Odabasi
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: