cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-4172) Default JAX-RS JAXB, JSON and Form providers are open to the hash collision attacks
Date Wed, 14 Mar 2012 17:08:40 GMT

    [ https://issues.apache.org/jira/browse/CXF-4172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13229356#comment-13229356
] 

Sergey Beryozkin commented on CXF-4172:
---------------------------------------

A number of new contextual properties has been introduced to limit the depth of the incoming
XML or JSON payloads (processed with the help of JAXB) and form payloads.

XML and JSON:

"depthTotalElementCountThreshold" - restricts the total number of elements in a given payload.
"depthInnerElementCountThreshold" - restricts the total number of child elements for a given
element.
"depthInnerElementLevelThreshold" - restricts the stack depth starting from a given element
(root by default).

These properties can be enforced in a number of ways. The simplest option is to enable them
on individual JAX-RS endpoints. Alternatively, default CXF JAX-RS JAXBElementProvider and
JSONProvider can have a 'depthProperties' set (http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/staxutils/DocumentDepthProperties.java).
Finally they can instead depend on DepthRestrictingStreamInterceptor (http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/DepthRestrictingStreamInterceptor.java)
configured and added to the inbound chain.

Source and DOM Document providers will depend on DepthRestrictingStreamInterceptor.
  

More sophisticated properties can be introduced in the future.

Form:

"maxFormParameterCount" - restricts the number of form name-value pairs.
Note that the Servlet containers may also need to restrict the number of form parameters:
http://mail-archives.apache.org/mod_mbox/tomcat-announce/201112.mbox/%3C4EFB9800.5010106@apache.org%3E

The clients will get HTTP 413 back whenever one of the above contextual properties can not
be enforced.

*Note*: other optional XML or JSON providers may need the related third-party library enhanced
to enforce the depth of the incoming payloads.


                
> Default JAX-RS JAXB, JSON and Form providers are open to the hash collision attacks
> -----------------------------------------------------------------------------------
>
>                 Key: CXF-4172
>                 URL: https://issues.apache.org/jira/browse/CXF-4172
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS, JAX-RS Security
>            Reporter: Sergey Beryozkin
>            Assignee: Sergey Beryozkin
>            Priority: Critical
>             Fix For: 2.3.10, 2.4.7, 2.5.3, 2.6
>
>
> JAXB based and Form providers using the Maps internally are open to the hash collision
attacks.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message