You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cxf.apache.org by dk...@apache.org on 2020/03/23 19:02:25 UTC

[cxf] branch master updated (794949e -> b563f7b)

This is an automated email from the ASF dual-hosted git repository.

dkulp pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git.


    from 794949e  Adding an @Ignored test for RPC-Literal issue
     new 2e43632  Bridge/synthetic methods may not have the parameter annotations, search for the actual method to use
     new b563f7b  Prevent SOAPAction spoofing for RPC/Lit services

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 .../binding/soap/interceptor/Messages.properties   |  1 +
 .../binding/soap/interceptor/RPCInInterceptor.java |  5 +++++
 .../apache/cxf/jaxrs/utils/AnnotationUtils.java    | 25 +++++++++++++---------
 .../cxf/systest/jms/action/JMSSoapActionTest.java  | 15 ++++++++-----
 .../apache/cxf/systest/soap/SoapActionTest.java    |  1 -
 5 files changed, 31 insertions(+), 16 deletions(-)

[cxf] 02/02: Prevent SOAPAction spoofing for RPC/Lit services

Posted by dk...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

dkulp pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit b563f7b59db5a749537d1149ff48cdbc021f54f8
Author: Daniel Kulp <dk...@apache.org>
AuthorDate: Mon Mar 23 15:01:51 2020 -0400

    Prevent SOAPAction spoofing for RPC/Lit services
---
 .../cxf/binding/soap/interceptor/Messages.properties      |  1 +
 .../cxf/binding/soap/interceptor/RPCInInterceptor.java    |  5 +++++
 .../apache/cxf/systest/jms/action/JMSSoapActionTest.java  | 15 ++++++++++-----
 .../java/org/apache/cxf/systest/soap/SoapActionTest.java  |  1 -
 4 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties
index bf5622b..aea4a57 100644
--- a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties
+++ b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties
@@ -34,3 +34,4 @@ NO_NAMESPACE=No namespace on "{0}" element. You must send a SOAP message.
 BP_2211_RPCLIT_CANNOT_BE_NULL=Cannot write part {0}. RPC/Literal parts cannot be null. (WS-I BP R2211)
 UNKNOWN_RPC_LIT_PART=Found element {0} but could not find matching RPC/Literal part
 SOAP_ACTION_MISMATCH=The given SOAPAction {0} does not match an operation.
+SOAP_ACTION_MISMATCH_OP=The given SOAPAction {0} does not match the received operation {1}.
\ No newline at end of file
diff --git a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/RPCInInterceptor.java b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/RPCInInterceptor.java
index 78a7f29..5f281c9 100644
--- a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/RPCInInterceptor.java
+++ b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/RPCInInterceptor.java
@@ -30,6 +30,7 @@ import javax.xml.stream.XMLStreamConstants;
 import javax.xml.stream.XMLStreamException;
 import javax.xml.stream.XMLStreamReader;
 
+import org.apache.cxf.binding.soap.SoapBindingConstants;
 import org.apache.cxf.binding.soap.wsdl.extensions.SoapBody;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.databinding.DataReader;
@@ -112,6 +113,10 @@ public class RPCInInterceptor extends AbstractInDatabindingInterceptor {
             setMessage(message, operation);
         } else {
             operation = message.getExchange().getBindingOperationInfo();
+            if (!operation.getName().getLocalPart().equals(opName)) {
+                String sa = (String)message.get(SoapBindingConstants.SOAP_ACTION);
+                throw new Fault("SOAP_ACTION_MISMATCH_OP", LOG, null, sa, opName);
+            }
         }
         MessageInfo msg;
         DataReader<XMLStreamReader> dr = getDataReader(message, XMLStreamReader.class);
diff --git a/systests/transport-jms/src/test/java/org/apache/cxf/systest/jms/action/JMSSoapActionTest.java b/systests/transport-jms/src/test/java/org/apache/cxf/systest/jms/action/JMSSoapActionTest.java
index 59c39da..c3ba953 100644
--- a/systests/transport-jms/src/test/java/org/apache/cxf/systest/jms/action/JMSSoapActionTest.java
+++ b/systests/transport-jms/src/test/java/org/apache/cxf/systest/jms/action/JMSSoapActionTest.java
@@ -43,7 +43,7 @@ import org.junit.Test;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertSame;
-
+import static org.junit.Assert.fail;
 
 /**
  * Some tests for sending a SOAP Action with JMS
@@ -108,6 +108,8 @@ public class JMSSoapActionTest extends AbstractBusClientServerTestBase {
         ((java.io.Closeable)greeter).close();
     }
 
+    
+    
     @Test
     public void testSayHi2() throws Exception {
         QName serviceName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldServiceSoapAction");
@@ -126,10 +128,13 @@ public class JMSSoapActionTest extends AbstractBusClientServerTestBase {
             BindingProvider.SOAPACTION_URI_PROPERTY, "SAY_HI_2"
         );
 
-        String reply = greeter.sayHi();
-        assertNotNull("no response received from service", reply);
-        assertEquals(response, reply);
-
+        try {
+            greeter.sayHi();
+            fail("Failure expected on spoofing attack");
+        } catch (Exception ex) {
+            // expected
+        }
+            
         ((java.io.Closeable)greeter).close();
     }
 
diff --git a/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java b/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java
index 3ac0fe6..7e033e2 100644
--- a/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java
+++ b/systests/uncategorized/src/test/java/org/apache/cxf/systest/soap/SoapActionTest.java
@@ -343,7 +343,6 @@ public class SoapActionTest {
     }
 
     @Test
-    @org.junit.Ignore  // TODO
     public void testRPCLitSoapActionSpoofing() throws Exception {
         JaxWsProxyFactoryBean pf = new JaxWsProxyFactoryBean();
         pf.setServiceClass(RPCGreeter.class);

[cxf] 01/02: Bridge/synthetic methods may not have the parameter annotations, search for the actual method to use

Posted by dk...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

dkulp pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit 2e436324dcda546e6c2d11a878bea84bcfc62de1
Author: Daniel Kulp <dk...@apache.org>
AuthorDate: Mon Mar 23 15:01:09 2020 -0400

    Bridge/synthetic methods may not have the parameter annotations, search for the actual method to use
---
 .../apache/cxf/jaxrs/utils/AnnotationUtils.java    | 25 +++++++++++++---------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/AnnotationUtils.java b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/AnnotationUtils.java
index ca5766e..67d2a3c 100644
--- a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/AnnotationUtils.java
+++ b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/AnnotationUtils.java
@@ -189,19 +189,24 @@ public final class AnnotationUtils {
     private static Method doGetAnnotatedMethod(Class<?> serviceClass, Method m) {
 
         if (m != null) {
-            for (Annotation a : m.getAnnotations()) {
-                if (AnnotationUtils.isMethodAnnotation(a)) {
-                    return m;
+            if (!m.isBridge() && !m.isSynthetic()) {
+                //the bridge/synthetic methods may not have the parameter annotations
+                //thus we will need to search the super classes/interfaces to make 
+                //sure we get the proper method that would also have the parameters annotated
+                //properly
+                for (Annotation a : m.getAnnotations()) {
+                    if (AnnotationUtils.isMethodAnnotation(a)) {
+                        return m;
+                    }
                 }
-            }
-            for (Annotation[] paramAnnotations : m.getParameterAnnotations()) {
-                if (isValidParamAnnotations(paramAnnotations)) {
-                    LOG.warning("Method " + m.getName() + " in " + m.getDeclaringClass().getName()
-                                 + " has no JAX-RS Path or HTTP Method annotations");
-                    return m;
+                for (Annotation[] paramAnnotations : m.getParameterAnnotations()) {
+                    if (isValidParamAnnotations(paramAnnotations)) {
+                        LOG.warning("Method " + m.getName() + " in " + m.getDeclaringClass().getName()
+                                     + " has no JAX-RS Path or HTTP Method annotations");
+                        return m;
+                    }
                 }
             }
-
             Class<?> declaringClass = m.getDeclaringClass();
             Class<?> superC = declaringClass.getSuperclass();
             if (superC != null && Object.class != superC) {