-
Bug
-
Resolution: Done
-
Blocker
-
28.0.0.Beta1
-
None
CVE-2022-25857 was solved in SnakeYaml so that it now sets a default constraint of 3 MB when loading static files.
WildFly 28 Beta - which currently uses SmallRye OpenAPI 3.0.1 since WFLY-17197 - is failing at loading files that are larger than such default value, since OpenApiProcessor does not provide any way to customize such limit when building a YAMLFactory and its related YAMLParser:
[0m[31m22:31:25,836 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.undertow.host.default-server.default-host./big/openapi: org.jboss.msc.service.StartException in service org.wildfly.undertow.host.default-server.default-host./big/openapi: io.smallrye.openapi.runtime.OpenApiRuntimeException: com.fasterxml.jackson.dataformat.yaml.JacksonYAMLParseException: The incoming YAML document exceeds the limit: 3145728 code points. at [Source: (FileInputStream); line: 109594, column: 25] at org.wildfly.clustering.service@28.0.0.Beta1-202301072046-b985cc92//org.wildfly.clustering.service.FunctionalService.start(FunctionalService.java:66) at org.jboss.msc@1.5.0.Beta4//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1590) at org.jboss.msc@1.5.0.Beta4//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1553) at org.jboss.msc@1.5.0.Beta4//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1411) at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990) at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: io.smallrye.openapi.runtime.OpenApiRuntimeException: com.fasterxml.jackson.dataformat.yaml.JacksonYAMLParseException: The incoming YAML document exceeds the limit: 3145728 code points. at [Source: (FileInputStream); line: 109594, column: 25] at io.smallrye.openapi//io.smallrye.openapi.runtime.OpenApiProcessor.modelFromStaticFile(OpenApiProcessor.java:103) at org.wildfly.extension.microprofile.openapi-smallrye@28.0.0.Beta1-202301072046-b985cc92//org.wildfly.extension.microprofile.openapi.deployment.OpenAPIModelServiceConfigurator.get(OpenAPIModelServiceConfigurator.java:161) at org.wildfly.extension.microprofile.openapi-smallrye@28.0.0.Beta1-202301072046-b985cc92//org.wildfly.extension.microprofile.openapi.deployment.OpenAPIModelServiceConfigurator.get(OpenAPIModelServiceConfigurator.java:90) at org.wildfly.clustering.service@28.0.0.Beta1-202301072046-b985cc92//org.wildfly.clustering.service.FunctionalService.start(FunctionalService.java:63) ... 8 more Caused by: com.fasterxml.jackson.dataformat.yaml.JacksonYAMLParseException: The incoming YAML document exceeds the limit: 3145728 code points. at [Source: (FileInputStream); line: 109594, column: 25] at com.fasterxml.jackson.dataformat.jackson-dataformat-yaml@2.13.4//com.fasterxml.jackson.dataformat.yaml.YAMLParser.nextToken(YAMLParser.java:409) at com.fasterxml.jackson.core.jackson-core@2.13.4//com.fasterxml.jackson.core.JsonParser.nextFieldName(JsonParser.java:1038) at com.fasterxml.jackson.core.jackson-databind@2.13.4.2//com.fasterxml.jackson.databind.deser.std.BaseNodeDeserializer._deserializeContainerNoRecursion(JsonNodeDeserializer.java:440) at com.fasterxml.jackson.core.jackson-databind@2.13.4.2//com.fasterxml.jackson.databind.deser.std.JsonNodeDeserializer.deserialize(JsonNodeDeserializer.java:84) at com.fasterxml.jackson.core.jackson-databind@2.13.4.2//com.fasterxml.jackson.databind.deser.std.JsonNodeDeserializer.deserialize(JsonNodeDeserializer.java:20) at com.fasterxml.jackson.core.jackson-databind@2.13.4.2//com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:323) at com.fasterxml.jackson.core.jackson-databind@2.13.4.2//com.fasterxml.jackson.databind.ObjectMapper._readTreeAndClose(ObjectMapper.java:4716) at com.fasterxml.jackson.core.jackson-databind@2.13.4.2//com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:3056) at io.smallrye.openapi//io.smallrye.openapi.runtime.io.OpenApiParser.parse(OpenApiParser.java:76) at io.smallrye.openapi//io.smallrye.openapi.runtime.OpenApiProcessor.modelFromStaticFile(OpenApiProcessor.java:101) ... 11 more Caused by: org.yaml.snakeyaml.error.YAMLException: The incoming YAML document exceeds the limit: 3145728 code points. at org.yaml.snakeyaml//org.yaml.snakeyaml.scanner.ScannerImpl.fetchMoreTokens(ScannerImpl.java:342) at org.yaml.snakeyaml//org.yaml.snakeyaml.scanner.ScannerImpl.checkToken(ScannerImpl.java:263) at org.yaml.snakeyaml//org.yaml.snakeyaml.parser.ParserImpl$ParseBlockMappingKey.produce(ParserImpl.java:662) at org.yaml.snakeyaml//org.yaml.snakeyaml.parser.ParserImpl.peekEvent(ParserImpl.java:185) at org.yaml.snakeyaml//org.yaml.snakeyaml.parser.ParserImpl.getEvent(ParserImpl.java:195) at com.fasterxml.jackson.dataformat.jackson-dataformat-yaml@2.13.4//com.fasterxml.jackson.dataformat.yaml.YAMLParser.nextToken(YAMLParser.java:403) ... 20 more
There's a draft fix to SmallRye OpenAPI, which is blocked until a new release of jackson-jackson-dataformats-text 2.14 is published.
- is blocked by
-
WFLY-17601 Upgrade smallrye-open-api to 3.2.0
- Closed
- is cloned by
-
JBEAP-24435 MP OpenAPI - Loading static files bigger than 3MB fails since SmallRye OpenAPI 3.0.1 uses new SnakeYaml that sets a constraint
- Closed
- relates to
-
RESTEASY-3295 Upgrade Jackson from 2.13 to 2.14
- Resolved