Bug 1080420 - [GSS] (6.3.1) DataSourceProvider uses an insecure method to read the input stream
Summary: [GSS] (6.3.1) DataSourceProvider uses an insecure method to read the input st...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: RESTEasy
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: CR1
: EAP 6.3.1
Assignee: Weinan Li
QA Contact: Katerina Odabasi
URL:
Whiteboard:
Depends On: 1118893
Blocks: 1091547 1091552 eap631-blockers, eap631-payload, eap63-cp01-blockers 1105695
TreeView+ depends on / blocked
 
Reported: 2014-03-25 12:06 UTC by William Antônio
Modified: 2018-12-05 17:51 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
RESTEasy used `InputStream.available()` to determine if it had completed reading an input stream from a client. RESTEasy would sometimes fail to completely read input data from clients. This is expected to be resolved in a future release of the product.
Clone Of:
: 1091547 1118893 (view as bug list)
Environment:
Last Closed: 2014-10-13 18:38:26 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
JBoss Issue Tracker RESTEASY-779 Major Closed DataSourceProvider does not properly read InputStream 2017-10-10 00:26:12 UTC

Description William Antônio 2014-03-25 12:06:26 UTC
Description of problem:

DataSourceProvider that comes with RESTeasy is using the method InputStream::available method, which shouldn't be used as it is mention on InputStream's Javadoc[1]:

" Note that while some implementations of InputStream will return the total number of bytes in the stream, many will not. It is never correct to use the return value of this method to allocate a buffer intended to hold all data in this stream."

Customers have mention that they are experiencing issues when using this provider

[1] http://docs.oracle.com/javase/7/docs/api/java/io/InputStream.html#available%28%29

The solution would be avoid the usage of InputStream::available method.

Comment 10 JBoss JIRA Server 2014-05-06 01:04:40 UTC
Kyle Lape <kyle.lape@redhat.com> updated the status of jira RESTEASY-779 to Resolved

Comment 11 sgilda 2014-05-13 18:39:38 UTC
Changed from Bug Fix to Known Issue to fix Bug 1097118.

Comment 15 Weinan Li 2014-07-14 17:21:44 UTC
Patch applied:

master:resteasy-prod weinanli$ git branch
  2.3.7.1.Final-redhat
  2.3.7.2.Final-redhat
  2.3.7.Final-redhat
  2.3.7.Final-redhat-2
  2.3.7.Final-redhat-2-BZ1091552
  2.3.8.Final-redhat
* 2.3.8.SP1-redhat-1
  master

master:resteasy-prod weinanli$ git status
On branch 2.3.8.SP1-redhat-1
Changes to be committed:
  (use "git reset HEAD <file>..." to unstage)

	new file:   jaxrs-api/src/main/java/javax/ws/rs/core/NoContentException.java
	new file:   resteasy-jaxrs/src/main/java/org/jboss/resteasy/util/NoContent.java
	new file:   resteasy-jaxrs/src/main/java/org/jboss/resteasy/util/NoContentInputStreamDelegate.java

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git checkout -- <file>..." to discard changes in working directory)

	modified:   resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/providers/DataSourceProvider.java

Patch borrowed from upstream: https://github.com/resteasy/Resteasy/pull/497/files


### NOTE ###

Please note we need to add a new class in 'jaxrs-api' from JAX-RS 2.0 spec: NoContentException.java

As EAP6 doesn't use the 'jaxrs-api' inside RESTEasy and build a standalone spec jar:

master:jboss-eap-6.3 weinanli$ find . | grep jaxrs-api
./modules/system/layers/base/javax/ws/rs/api/main/jboss-jaxrs-api_1.1_spec-1.0.1.Final-redhat-2.jar

It needs to be added into that jar for this patch to work. Or resteasy will fail to work on EAP6.

Comment 16 Weinan Li 2014-07-15 06:08:13 UTC
Blocked by BZ1119409. 

Mark, please decide whether we can put this in EAP 6.3.1 or not. If as Fernando said the jax-rs spec 1.1 can't be modified, then we should defer this issue to RESTEasy 3.x + EAP7.

Comment 31 Katerina Odabasi 2014-08-29 08:09:24 UTC
Verified in 6.3.1.CP.CR1. Reproduced with org.jboss.resteasy.plugins.providers.DataSourceProviderTest.

Comment 33 JBoss JIRA Server 2016-08-02 16:15:27 UTC
Alessio Soldano <asoldano@redhat.com> updated the status of jira RESTEASY-779 to Closed


Note You need to log in before you can comment on or make changes to this bug.