You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by as...@apache.org on 2019/05/06 21:06:39 UTC
[cxf] branch master updated: CXF-7983: added check for existing,
but empty input stream
This is an automated email from the ASF dual-hosted git repository.
ashakirin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/master by this push:
new 0650160 CXF-7983: added check for existing, but empty input stream
0650160 is described below
commit 06501600e6a89c5a5ec2924bd64f1dc4c4d69465
Author: Andrei Shakirin <an...@gmail.com>
AuthorDate: Mon May 6 23:10:54 2019 +0200
CXF-7983: added check for existing, but empty input stream
---
.../cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java | 7 ++-----
.../rs/security/jose/jaxrs/AbstractJweJsonDecryptingFilter.java | 7 ++-----
.../cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java | 8 +++++++-
.../cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java | 7 ++++++-
.../cxf/rs/security/jose/jaxrs/JweJsonClientResponseFilter.java | 7 ++++++-
.../cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java | 7 ++++++-
.../cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java | 7 ++++++-
.../cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java | 7 ++++++-
.../cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java | 7 ++++++-
.../cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java | 7 ++++++-
10 files changed, 53 insertions(+), 18 deletions(-)
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
index 91c3a7b..0fd74e0 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
@@ -19,13 +19,11 @@
package org.apache.cxf.rs.security.jose.jaxrs;
import java.io.IOException;
-import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.util.Set;
import javax.ws.rs.core.MultivaluedMap;
-import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.rs.security.jose.common.JoseUtils;
import org.apache.cxf.rs.security.jose.jwe.JweCompactConsumer;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
@@ -40,9 +38,8 @@ public class AbstractJweDecryptingFilter {
private String defaultMediaType;
private boolean checkEmptyStream;
- protected JweDecryptionOutput decrypt(InputStream is) throws IOException {
- JweCompactConsumer jwe = new JweCompactConsumer(new String(IOUtils.readBytesFromStream(is),
- StandardCharsets.UTF_8));
+ protected JweDecryptionOutput decrypt(final byte[] content) throws IOException {
+ JweCompactConsumer jwe = new JweCompactConsumer(new String(content, StandardCharsets.UTF_8));
JweDecryptionProvider theDecryptor = getInitializedDecryptionProvider(jwe.getJweHeaders());
JweDecryptionOutput out = new JweDecryptionOutput(jwe.getJweHeaders(), jwe.getDecryptedContent(theDecryptor));
JoseUtils.traceHeaders(out.getHeaders());
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweJsonDecryptingFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweJsonDecryptingFilter.java
index fc72cd1..3c7cdf4 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweJsonDecryptingFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweJsonDecryptingFilter.java
@@ -19,14 +19,12 @@
package org.apache.cxf.rs.security.jose.jaxrs;
import java.io.IOException;
-import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.util.Map;
import java.util.Set;
import javax.ws.rs.core.MultivaluedMap;
-import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
@@ -43,9 +41,8 @@ public class AbstractJweJsonDecryptingFilter {
private String defaultMediaType;
private Map<String, Object> recipientProperties;
private boolean checkEmptyStream;
- protected JweDecryptionOutput decrypt(InputStream is) throws IOException {
- JweJsonConsumer c = new JweJsonConsumer(new String(IOUtils.readBytesFromStream(is),
- StandardCharsets.UTF_8));
+ protected JweDecryptionOutput decrypt(final byte[] content) throws IOException {
+ JweJsonConsumer c = new JweJsonConsumer(new String(content, StandardCharsets.UTF_8));
JweDecryptionProvider theProvider = getInitializedDecryptionProvider(c.getProtectedHeader());
JweJsonEncryptionEntry entry = c.getJweDecryptionEntry(theProvider, recipientProperties);
if (entry == null) {
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java
index 082f7dc..d48f3a3 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java
@@ -28,6 +28,7 @@ import javax.ws.rs.client.ClientResponseContext;
import javax.ws.rs.client.ClientResponseFilter;
import javax.ws.rs.core.Response;
+import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.rs.security.jose.common.JoseUtils;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
@@ -41,7 +42,11 @@ public class JweClientResponseFilter extends AbstractJweDecryptingFilter impleme
|| isCheckEmptyStream() && !res.hasEntity()) {
return;
}
- JweDecryptionOutput out = decrypt(res.getEntityStream());
+ final byte[] encryptedContent = IOUtils.readBytesFromStream(res.getEntityStream());
+ if (encryptedContent.length == 0) {
+ return;
+ }
+ JweDecryptionOutput out = decrypt(encryptedContent);
byte[] bytes = out.getContent();
res.setEntityStream(new ByteArrayInputStream(bytes));
res.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length));
@@ -53,6 +58,7 @@ public class JweClientResponseFilter extends AbstractJweDecryptingFilter impleme
super.validateHttpHeadersIfNeeded(res.getHeaders(), out.getHeaders());
}
}
+
protected boolean isMethodWithNoContent(String method) {
return HttpMethod.DELETE.equals(method) || HttpUtils.isMethodWithNoResponseContent(method);
}
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
index c774adb..04afab4 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
@@ -27,6 +27,7 @@ import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
+import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.rs.security.jose.common.JoseUtils;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
@@ -40,7 +41,11 @@ public class JweContainerRequestFilter extends AbstractJweDecryptingFilter imple
|| isCheckEmptyStream() && !context.hasEntity()) {
return;
}
- JweDecryptionOutput out = decrypt(context.getEntityStream());
+ final byte[] encryptedContent = IOUtils.readBytesFromStream(context.getEntityStream());
+ if (encryptedContent.length == 0) {
+ return;
+ }
+ JweDecryptionOutput out = decrypt(encryptedContent);
byte[] bytes = out.getContent();
context.setEntityStream(new ByteArrayInputStream(bytes));
context.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length));
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonClientResponseFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonClientResponseFilter.java
index bea2e7b..e8d99db 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonClientResponseFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonClientResponseFilter.java
@@ -28,6 +28,7 @@ import javax.ws.rs.client.ClientResponseContext;
import javax.ws.rs.client.ClientResponseFilter;
import javax.ws.rs.core.Response;
+import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.rs.security.jose.common.JoseUtils;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
@@ -41,7 +42,11 @@ public class JweJsonClientResponseFilter extends AbstractJweJsonDecryptingFilter
|| isCheckEmptyStream() && !res.hasEntity()) {
return;
}
- JweDecryptionOutput out = decrypt(res.getEntityStream());
+ final byte[] encryptedContent = IOUtils.readBytesFromStream(res.getEntityStream());
+ if (encryptedContent.length == 0) {
+ return;
+ }
+ JweDecryptionOutput out = decrypt(encryptedContent);
byte[] bytes = out.getContent();
res.setEntityStream(new ByteArrayInputStream(bytes));
res.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length));
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java
index b07e013..4dd679c 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java
@@ -27,6 +27,7 @@ import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
+import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.rs.security.jose.common.JoseUtils;
@@ -42,8 +43,12 @@ public class JweJsonContainerRequestFilter extends AbstractJweJsonDecryptingFilt
|| isCheckEmptyStream() && !context.hasEntity()) {
return;
}
+ final byte[] encryptedContent = IOUtils.readBytesFromStream(context.getEntityStream());
+ if (encryptedContent.length == 0) {
+ return;
+ }
try {
- JweDecryptionOutput out = decrypt(context.getEntityStream());
+ JweDecryptionOutput out = decrypt(encryptedContent);
byte[] bytes = out.getContent();
context.setEntityStream(new ByteArrayInputStream(bytes));
context.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length));
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
index 6acba47..acef26b 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
@@ -28,6 +28,7 @@ import javax.ws.rs.client.ClientResponseContext;
import javax.ws.rs.client.ClientResponseFilter;
import javax.ws.rs.core.Response;
+import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.rs.security.jose.common.JoseUtils;
@@ -44,7 +45,11 @@ public class JwsClientResponseFilter extends AbstractJwsReaderProvider implement
|| isCheckEmptyStream() && !res.hasEntity()) {
return;
}
- JwsCompactConsumer p = new JwsCompactConsumer(IOUtils.readStringFromStream(res.getEntityStream()));
+ final String content = IOUtils.readStringFromStream(res.getEntityStream());
+ if (StringUtils.isEmpty(content)) {
+ return;
+ }
+ JwsCompactConsumer p = new JwsCompactConsumer(content);
JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(p.getJwsHeaders());
if (!p.verifySignatureWith(theSigVerifier)) {
throw new JwsException(JwsException.Error.INVALID_SIGNATURE);
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
index c3dbb10..e1b553b 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
@@ -28,6 +28,7 @@ import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
+import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
@@ -46,7 +47,11 @@ public class JwsContainerRequestFilter extends AbstractJwsReaderProvider impleme
|| isCheckEmptyStream() && !context.hasEntity()) {
return;
}
- JwsCompactConsumer p = new JwsCompactConsumer(IOUtils.readStringFromStream(context.getEntityStream()));
+ final String content = IOUtils.readStringFromStream(context.getEntityStream());
+ if (StringUtils.isEmpty(content)) {
+ return;
+ }
+ JwsCompactConsumer p = new JwsCompactConsumer(content);
JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(p.getJwsHeaders());
if (!p.verifySignatureWith(theSigVerifier)) {
context.abortWith(JAXRSUtils.toResponse(400));
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
index 4cd8437..1ab60b4 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
@@ -28,6 +28,7 @@ import javax.ws.rs.client.ClientResponseContext;
import javax.ws.rs.client.ClientResponseFilter;
import javax.ws.rs.core.Response;
+import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.rs.security.jose.common.JoseUtils;
@@ -44,8 +45,12 @@ public class JwsJsonClientResponseFilter extends AbstractJwsJsonReaderProvider i
|| isCheckEmptyStream() && !res.hasEntity()) {
return;
}
+ final String content = IOUtils.readStringFromStream(res.getEntityStream());
+ if (StringUtils.isEmpty(content)) {
+ return;
+ }
JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier();
- JwsJsonConsumer c = new JwsJsonConsumer(IOUtils.readStringFromStream(res.getEntityStream()));
+ JwsJsonConsumer c = new JwsJsonConsumer(content);
validate(c, theSigVerifier);
byte[] bytes = c.getDecodedJwsPayloadBytes();
res.setEntityStream(new ByteArrayInputStream(bytes));
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
index d7b48e4..832f038 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
@@ -27,6 +27,7 @@ import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
+import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
@@ -45,8 +46,12 @@ public class JwsJsonContainerRequestFilter extends AbstractJwsJsonReaderProvider
|| isCheckEmptyStream() && !context.hasEntity()) {
return;
}
+ final String content = IOUtils.readStringFromStream(context.getEntityStream());
+ if (StringUtils.isEmpty(content)) {
+ return;
+ }
JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier();
- JwsJsonConsumer c = new JwsJsonConsumer(IOUtils.readStringFromStream(context.getEntityStream()));
+ JwsJsonConsumer c = new JwsJsonConsumer(content);
try {
validate(c, theSigVerifier);
} catch (JwsException ex) {