Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-1103

Resteasy secure processing to be turn on by default to apply entity expansion limit


    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 3.0.9.Final
    • 3.0.8.Final
    • jaxrs
    • None

      TestXXESecureProcessing testcase fails on the following tests:
      Failed tests: testXmlRootElementWithExternalExpansionBig(org.jboss.resteasy.test.xxe.TestXXESecureProcessing): expected:<400> but was:<200>
      testXmlRootElementDefaultBig(org.jboss.resteasy.test.xxe.TestXXESecureProcessing): expected:<400> but was:<200>
      testXmlRootElementWithoutExternalExpansionBig(org.jboss.resteasy.test.xxe.TestXXESecureProcessing): expected:<400> but was:<200>

      How reproducible:

      Steps to Reproduce:
      1. git clone https://github.com/resteasy/Resteasy.git resteasy-ts; cd resteasy-ts
      2. uncomment xercesImpl dependency in resteasy-jaxb-provider project pom
      3. mvn clean verify -fn -pl :resteasy-jaxb-provider,:resteasy-test-tjws,:tjws -Dtest=TestXXESecureProcessing

      Actual results:
      The response is 200 (OK) instead of

      Expected results:
      status: 400
      Result: <HTML><HEAD><TITLE>400 javax.xml.bind.UnmarshalException</TITLE></HEAD><BODY BGCOLOR="#D1E9FE"><H2>400 javax.xml.bind.UnmarshalException</H2><PRE>

      • with linked exception:
        [org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; JAXP00010001: The parser has encountered more than "64000" entity expansions in this document; this is the limit imposed by the JDK.]</PRE><HR><ADDRESS><A HREF="http://tjws.sourceforge.net">D. Rogatkin's TJWS based on Acme.Serve Version 1.70, $Revision: 1.194 $</A></ADDRESS></BODY></HTML>

      Additional info:
      The tests fails on any platform, with xercesImpl project dependency defined. It fails with xerces:xercesImpl:2.9.1-redhat-4 provided by EAP and also with xerces:xercesImpl:2.9.1 upstream dependecy.

            rsigal@redhat.com Ronald Sigal
            kanovotn Katerina Odabasi (Inactive)
            0 Vote for this issue
            1 Start watching this issue