Bug 899664 (JBPAPP6-1520)
Summary: | (EAP 6.4.x) RESTEasy: Boolean configuration parameters don't reject non-sense content | |||
---|---|---|---|---|
Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Pavel Janousek <pjanouse> | |
Component: | RESTEasy | Assignee: | Weinan Li <weli> | |
Status: | CLOSED EOL | QA Contact: | Katerina Odabasi <kanovotn> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | TBD EAP 6 | CC: | kanovotn, mkopecky, myarboro, nobody, rajesh.rajasekaran, rsvoboda, vtunka, weli | |
Target Milestone: | DR9 | |||
Target Release: | EAP 6.4.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
URL: | http://jira.jboss.org/jira/browse/JBPAPP6-1520 | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Known Issue | ||
Doc Text: |
This release of JBoss EAP 6 carries a bug that allows invalid Boolean configuration parameters to be set. This behavior is unintended as invalid parameters should be rejected and the application should not be deployed.
This issue is expected to be resolved in future release of the product.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1121661 (view as bug list) | Environment: | ||
Last Closed: | 2019-08-19 12:43:47 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1121661 |
Description
Pavel Janousek
2011-12-15 15:22:14 UTC
Link: Added: This issue Cloned to JBPAPP-7767 It's an requirement that these parameters should accept 'true' and 'false' values, currently the code is like the following: String sResources = getParameter(ResteasyContextParameters.RESTEASY_SCAN_RESOURCES); if (sResources != null) { scanResources = Boolean.valueOf(sResources.trim()); } It's possible to modify the logic and I wonder whether that's necessary. I'll ask Bill for confirmation. btw, such kind of issue should be into RESTEasy project instead of EAP in JIRA, it's a feature request instead of a bug. Assume web.xml contains only correctly values (format, content etc.) is deeply bad way. First check is done by XML check against DTD definition, but it isn't sufficient - it only check lexical validity, not semantic.... And worse way is raise only conversion exception in this way if any... - properly implemented feature (as this one) should report invalid input correctly - with appropriate error message. Also be aware - something later catchs this exception and doesn't report it at all - this is the worst scenario - silently ignore a such thing is very bad programmer's technique. In my PoV this error-ed deployment description should fail during deploying with reporting of appropriate message in this case. Every such gathering of some value should be wrapped with try/catch block. This is not only one case of bad piece of code in RESTEasy (nor in this project too, of course). problem fixed in trunk: https://github.com/resteasy/Resteasy/pull/3 When EAP uses newest RESTEasy release, we'll get this issue solved. Link: Added: This issue is related to JBPAPP-7859 Latest update is RESTEasy 2.3.2 bugfix release is targeted for AS 7.1.1. Moving to 6.0.0.ER4 as that is the EAP build scheduled to pick up 7.1.1 Link: Added: This issue incorporates JBPAPP-8506 Shelly, was this jira resolved for ER4? Weinan, Was the pull request merged upstream? As this priority on this release was downgraded, do you want to delay cutting a new resteasy release or do you plan to cut a release now since the fix is available. Please check the cutoff dates with Shelly if you plan to cut the release or move the fix version to TBD EAP6 fixed in er7 Configuration parameter: - resteasy.use.builtin.providers was missed in this fixing, others are fine and work for me as expected. I've tried on ER7 build. Docs QE Status: Removed: NEW PR submitted: https://github.com/resteasy/Resteasy/pull/387 The PR has been merged into upstream Branch_2_3, but we'll need a new release of RESTEasy to include this (2.3.8). From RESTEasy community there is no 2.3.8.Final yet. If we want to include this in EAP 6.2.0, it will need following steps: - Ron will need to release RESTEasy 2.3.8.Final in community - We'll need a 'upgrade RESTEasy 2.3.8.Final' request and pass 3-ack - Several days are needed to build 2.3.8 for EAP6 - A PR request to update RESTEasy version of EAP6 in github will be created - A bug related with above PR requests will be created. According to the importance of this bug, I'd suggest we deduce this from 6.2.0 and put it into future version. Is that okay? Requesting clarification on owner, relevance, target since this bug more than than two years old and less than POST state: http://post-office.corp.redhat.com/archives/eap6-triage/2014-March/msg00001.html As RESTEasy 2.3.8.Final is not included into EAP 6.3, so the patch is still not included. 2.3.8 has fixed this problem. Resteasy 2.3.8 still doesn't use parseBooleanParam() method to check for RESTEASY_USE_BUILTIN_PROVIDERS parameter. (In reply to Katerina Novotna from comment #27) > Resteasy 2.3.8 still doesn't use parseBooleanParam() method to check for > RESTEASY_USE_BUILTIN_PROVIDERS parameter. Katerina, I've checked the source code of 2.3.8.Final-redhat and seems it's already merged: master:resteasy-prod weinanli$ grep 'parseBooleanParam' resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/server/servlet/ConfigurationBootstrap.java scanProviders = parseBooleanParam(ResteasyContextParameters.RESTEASY_SCAN_PROVIDERS, sProviders); boolean tmp = parseBooleanParam(ResteasyContextParameters.RESTEASY_SCAN, scanAll); scanResources = parseBooleanParam(ResteasyContextParameters.RESTEASY_SCAN_RESOURCES, sResources); boolean tmp = parseBooleanParam(ResteasyContextParameters.RESTEASY_SCANNED_BY_DEPLOYER, sScannedByDeployer); private boolean parseBooleanParam(String key, String value) { master:resteasy-prod weinanli$ git branch 2.3.7.1.Final-redhat 2.3.7.2.Final-redhat 2.3.7.Final-redhat 2.3.7.Final-redhat-2 2.3.7.Final-redhat-2-BZ1091552 * 2.3.8.Final-redhat master master:resteasy-prod weinanli$ cat ./.git/config [core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true ignorecase = true precomposeunicode = true [remote "origin"] url = git+ssh://weli.eng.bos.redhat.com/srv/git/resteasy.git fetch = +refs/heads/*:refs/remotes/origin/* Where do you find that the patch is not merged? Hi Weinan, yes the patch is merged, but not complete. I see in [1] line 107, that RESTEASY_USE_BUILTIN_PROVIDERS parameter will not throw exception when incorrect input is provided. Additionally, line 104, parameter RESTEASY_ROLE_BASED_SECURITY is the same case. [1] http://git.app.eng.bos.redhat.com/git/resteasy.git/tree/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/server/servlet/ConfigurationBootstrap.java?h=2.3.8.Final-redhat Thanks for checking so carefully Katerina, I'll work on it. PR for upstream: https://github.com/resteasy/Resteasy/pull/515/files PR for Branch_2_3: https://github.com/resteasy/Resteasy/pull/516/files Making public for inclusion in 6.3.0 Release Notes. I set option "resteasy.scan" to "1" in web.xml: <context-param> <param-name>resteasy.scan</param-name> <param-value>1</param-value> </context-param> I deploy application: mvn package jboss-as:deploy Actual results: org.jboss.as.server.deployment.DeploymentUnitProcessingException: JBAS011235: Invalid value for parameter resteasy.scan: 1"}} Expected results: No errors. |