1080420 – [GSS] (6.3.1) DataSourceProvider uses an insecure method to read the input stream

Bug 1080420 - [GSS] (6.3.1) DataSourceProvider uses an insecure method to read the input stream

Summary: [GSS] (6.3.1) DataSourceProvider uses an insecure method to read the input st...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	RESTEasy
Sub Component:
Version:	6.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	CR1
Target Release:	EAP 6.3.1
Assignee:	Weinan Li
QA Contact:	Katerina Odabasi
Docs Contact:
URL:
Whiteboard:
Depends On:	1118893
Blocks:	1091547 1091552 eap631-blockers, eap631-payload, eap63-cp01-blockers 1105695
TreeView+	depends on / blocked

Reported:	2014-03-25 12:06 UTC by William Antônio
Modified:	2018-12-05 17:51 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	RESTEasy used `InputStream.available()` to determine if it had completed reading an input stream from a client. RESTEasy would sometimes fail to completely read input data from clients. This is expected to be resolved in a future release of the product.
Clone Of:
Clones:	1091547 1118893 (view as bug list)
Environment:
Last Closed:	2014-10-13 18:38:26 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RESTEASY-779	0	Major	Closed	DataSourceProvider does not properly read InputStream	2017-10-10 00:26:12 UTC

Description William Antônio 2014-03-25 12:06:26 UTC

Description of problem:

DataSourceProvider that comes with RESTeasy is using the method InputStream::available method, which shouldn't be used as it is mention on InputStream's Javadoc[1]:

" Note that while some implementations of InputStream will return the total number of bytes in the stream, many will not. It is never correct to use the return value of this method to allocate a buffer intended to hold all data in this stream."

Customers have mention that they are experiencing issues when using this provider

[1] http://docs.oracle.com/javase/7/docs/api/java/io/InputStream.html#available%28%29

The solution would be avoid the usage of InputStream::available method.

Comment 10 JBoss JIRA Server 2014-05-06 01:04:40 UTC

Kyle Lape <kyle.lape> updated the status of jira RESTEASY-779 to Resolved

Comment 11 sgilda 2014-05-13 18:39:38 UTC

Changed from Bug Fix to Known Issue to fix Bug 1097118.

Comment 15 Weinan Li 2014-07-14 17:21:44 UTC

Patch applied:

master:resteasy-prod weinanli$ git branch
  2.3.7.1.Final-redhat
  2.3.7.2.Final-redhat
  2.3.7.Final-redhat
  2.3.7.Final-redhat-2
  2.3.7.Final-redhat-2-BZ1091552
  2.3.8.Final-redhat
* 2.3.8.SP1-redhat-1
  master

master:resteasy-prod weinanli$ git status
On branch 2.3.8.SP1-redhat-1
Changes to be committed:
  (use "git reset HEAD <file>..." to unstage)

	new file:   jaxrs-api/src/main/java/javax/ws/rs/core/NoContentException.java
	new file:   resteasy-jaxrs/src/main/java/org/jboss/resteasy/util/NoContent.java
	new file:   resteasy-jaxrs/src/main/java/org/jboss/resteasy/util/NoContentInputStreamDelegate.java

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git checkout -- <file>..." to discard changes in working directory)

	modified:   resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/providers/DataSourceProvider.java

Patch borrowed from upstream: https://github.com/resteasy/Resteasy/pull/497/files


### NOTE ###

Please note we need to add a new class in 'jaxrs-api' from JAX-RS 2.0 spec: NoContentException.java

As EAP6 doesn't use the 'jaxrs-api' inside RESTEasy and build a standalone spec jar:

master:jboss-eap-6.3 weinanli$ find . | grep jaxrs-api
./modules/system/layers/base/javax/ws/rs/api/main/jboss-jaxrs-api_1.1_spec-1.0.1.Final-redhat-2.jar

It needs to be added into that jar for this patch to work. Or resteasy will fail to work on EAP6.

Comment 16 Weinan Li 2014-07-15 06:08:13 UTC

Blocked by BZ1119409. 

Mark, please decide whether we can put this in EAP 6.3.1 or not. If as Fernando said the jax-rs spec 1.1 can't be modified, then we should defer this issue to RESTEasy 3.x + EAP7.

Comment 31 Katerina Odabasi 2014-08-29 08:09:24 UTC

Verified in 6.3.1.CP.CR1. Reproduced with org.jboss.resteasy.plugins.providers.DataSourceProviderTest.

Comment 33 JBoss JIRA Server 2016-08-02 16:15:27 UTC

Alessio Soldano <asoldano> updated the status of jira RESTEASY-779 to Closed

Note You need to log in before you can comment on or make changes to this bug.