Merge pull request #36531 from gsmet/3.2.7-backports-1

3.2.7 backports 1
quarkusio · Oct 18, 2023 · c1b4ea6 · c1b4ea6
2 parents 9f813f6 + e54c0e0
commit c1b4ea6
Show file tree

Hide file tree

Showing 5 changed files with 218 additions and 5 deletions.
diff --git a/bom/application/pom.xml b/bom/application/pom.xml
@@ -145,14 +145,14 @@
         <infinispan.version>14.0.11.Final</infinispan.version>
         <infinispan.protostream.version>4.6.2.Final</infinispan.protostream.version>
         <caffeine.version>3.1.5</caffeine.version>
-        <netty.version>4.1.94.Final</netty.version>
+        <netty.version>4.1.100.Final</netty.version>
         <brotli4j.version>1.12.0</brotli4j.version>
         <reactive-streams.version>1.0.4</reactive-streams.version>
         <jboss-logging.version>3.5.1.Final</jboss-logging.version>
         <mutiny.version>2.3.1</mutiny.version>
         <kafka3.version>3.4.0</kafka3.version>
         <lz4.version>1.8.0</lz4.version> <!-- dependency of the kafka-clients that could be overridden by other imported BOMs in the platform -->
-        <snappy.version>1.1.10.1</snappy.version>
+        <snappy.version>1.1.10.5</snappy.version>
         <strimzi-test-container.version>0.100.0</strimzi-test-container.version>
         <!-- Scala is used by Kafka so we need to choose a compatible version -->
         <scala.version>2.13.11</scala.version>
@@ -205,7 +205,7 @@
         <log4j2-jboss-logmanager.version>1.1.1.Final</log4j2-jboss-logmanager.version>
         <log4j2-api.version>2.20.0</log4j2-api.version>
         <log4j-jboss-logmanager.version>1.3.0.Final</log4j-jboss-logmanager.version>
-        <avro.version>1.11.1</avro.version>
+        <avro.version>1.11.3</avro.version>
         <apicurio-registry.version>2.4.3.Final</apicurio-registry.version>
         <apicurio-common-rest-client.version>0.1.17.Final</apicurio-common-rest-client.version> <!-- must be the version Apicurio Registry uses -->
         <testcontainers.version>1.18.3</testcontainers.version> <!-- Make sure to also update docker-java.version to match its needs -->

diff --git a/docs/src/main/asciidoc/upx.adoc b/docs/src/main/asciidoc/upx.adoc
@@ -3,9 +3,7 @@ This guide is maintained in the main Quarkus repository
 and pull requests should be submitted there:
 https://github.com/quarkusio/quarkus/tree/main/docs/src/main/asciidoc
 ////
-
 = Compressing native executables using UPX
-
 include::_attributes.adoc[]
 
 https://upx.github.io/[Ultimate Packer for eXecutables (UPX)] is a compression tool reducing the size of executables.

diff --git a/...test/java/io/quarkus/resteasy/reactive/server/test/simple/GenericsParamConverterTest.java b/...test/java/io/quarkus/resteasy/reactive/server/test/simple/GenericsParamConverterTest.java
@@ -0,0 +1,109 @@
+package io.quarkus.resteasy.reactive.server.test.simple;
+
+import static io.restassured.RestAssured.given;
+import static org.hamcrest.CoreMatchers.is;
+
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import java.util.List;
+import java.util.stream.Collectors;
+
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.QueryParam;
+import jakarta.ws.rs.ext.ParamConverter;
+import jakarta.ws.rs.ext.ParamConverterProvider;
+import jakarta.ws.rs.ext.Provider;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusUnitTest;
+
+public class GenericsParamConverterTest {
+
+    @RegisterExtension
+    static QuarkusUnitTest test = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addClasses(TestEnum.class, Wrapper.class,
+                            WrapperParamConverterProvider.class, WrapperParamConverterProvider.WrapperParamConverter.class,
+                            TestResource.class));
+
+    @Test
+    public void wrapper() {
+        given()
+                .when().get("/test/single?wrapper=ACTIVE")
+                .then()
+                .statusCode(200)
+                .body(is("ACTIVE"));
+    }
+
+    @Test
+    public void wrapperList() {
+        given()
+                .when().get("/test/list?wrapperList=INACTIVE&wrapperList=ACTIVE")
+                .then()
+                .statusCode(200)
+                .body(is("INACTIVE,ACTIVE"));
+    }
+
+    @Path("/test")
+    public static class TestResource {
+
+        @GET
+        @Path("/list")
+        public String list(@QueryParam("wrapperList") final List<Wrapper<TestEnum>> wrapperList) {
+            return wrapperList.stream().map(w -> w.getValue().name()).collect(Collectors.joining(","));
+        }
+
+        @GET
+        @Path("/single")
+        public String single(@QueryParam("wrapper") final Wrapper<TestEnum> wrapper) {
+            return wrapper.getValue().toString();
+        }
+    }
+
+    public enum TestEnum {
+        ACTIVE,
+        INACTIVE
+    }
+
+    public static class Wrapper<E extends Enum<E>> {
+        private final E value;
+
+        public Wrapper(final E value) {
+            this.value = value;
+        }
+
+        public E getValue() {
+            return value;
+        }
+    }
+
+    @Provider
+    public static class WrapperParamConverterProvider implements ParamConverterProvider {
+
+        @Override
+        @SuppressWarnings("unchecked")
+        public <T> ParamConverter<T> getConverter(final Class<T> rawType, final Type genericType,
+                final Annotation[] annotations) {
+            if (Wrapper.class.isAssignableFrom(rawType)) {
+                return (ParamConverter<T>) new WrapperParamConverter();
+            }
+            return null;
+        }
+
+        public static class WrapperParamConverter implements ParamConverter<Wrapper<?>> {
+
+            @Override
+            public Wrapper<?> fromString(String value) {
+                return new Wrapper<>(Enum.valueOf(TestEnum.class, value));
+            }
+
+            @Override
+            public String toString(Wrapper<?> wrapper) {
+                return wrapper != null ? wrapper.getValue().toString() : null;
+            }
+        }
+    }
+}
diff --git a/...ttp/deployment/src/test/java/io/quarkus/vertx/http/http2/Http2RSTFloodProtectionTest.java b/...ttp/deployment/src/test/java/io/quarkus/vertx/http/http2/Http2RSTFloodProtectionTest.java
@@ -0,0 +1,104 @@
+package io.quarkus.vertx.http.http2;
+
+import static io.vertx.core.http.HttpMethod.GET;
+import static org.junit.jupiter.api.Assertions.fail;
+
+import java.io.File;
+import java.net.URL;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.TimeUnit;
+
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.enterprise.event.Observes;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Assumptions;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusUnitTest;
+import io.quarkus.test.common.http.TestHTTPResource;
+import io.quarkus.vertx.core.runtime.VertxCoreRecorder;
+import io.vertx.core.http.HttpClient;
+import io.vertx.core.http.HttpClientOptions;
+import io.vertx.core.http.HttpClientRequest;
+import io.vertx.core.http.HttpVersion;
+import io.vertx.core.net.JdkSSLEngineOptions;
+import io.vertx.ext.web.Router;
+
+/**
+ * Reproduce CVE-2023-44487.
+ */
+public class Http2RSTFloodProtectionTest {
+
+    @TestHTTPResource(value = "/ping", ssl = true)
+    URL sslUrl;
+
+    @TestHTTPResource(value = "/ping")
+    URL url;
+
+    @RegisterExtension
+    static final QuarkusUnitTest config = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addClasses(MyBean.class)
+                    .addAsResource(new File("src/test/resources/conf/ssl-jks.conf"), "application.properties")
+                    .addAsResource(new File("src/test/resources/conf/server-keystore.jks"), "server-keystore.jks"));
+
+    @Test
+    void testRstFloodProtectionWithTlsEnabled() throws Exception {
+        Assumptions.assumeTrue(JdkSSLEngineOptions.isAlpnAvailable()); //don't run on JDK8
+        HttpClientOptions options = new HttpClientOptions()
+                .setUseAlpn(true)
+                .setProtocolVersion(HttpVersion.HTTP_2)
+                .setSsl(true)
+                .setTrustAll(true);
+
+        var client = VertxCoreRecorder.getVertx().get().createHttpClient(options);
+        int port = sslUrl.getPort();
+        run(client, port, false);
+    }
+
+    @Test
+    public void testRstFloodProtection() throws InterruptedException {
+        HttpClientOptions options = new HttpClientOptions()
+                .setProtocolVersion(HttpVersion.HTTP_2)
+                .setHttp2ClearTextUpgrade(true);
+        var client = VertxCoreRecorder.getVertx().get().createHttpClient(options);
+        run(client, url.getPort(), true);
+    }
+
+    void run(HttpClient client, int port, boolean plain) throws InterruptedException {
+        CountDownLatch latch = new CountDownLatch(1);
+        client.connectionHandler(conn -> conn.goAwayHandler(ga -> {
+            Assertions.assertEquals(11, ga.getErrorCode());
+            latch.countDown();
+        }));
+
+        if (plain) {
+            // Emit a first request to establish a connection.
+            // It's HTTP/1 so, does not count in the number of requests.
+            client.request(GET, port, "localhost", "/ping")
+                    .compose(HttpClientRequest::send);
+        }
+
+        for (int i = 0; i < 250; i++) { // must be higher thant the NEtty limit (200 / 30s)
+            client.request(GET, port, "localhost", "/ping")
+                    .onSuccess(req -> req.end().onComplete(v -> req.reset()));
+        }
+
+        if (!latch.await(10, TimeUnit.SECONDS)) {
+            fail("RST flood protection failed");
+        }
+    }
+
+    @ApplicationScoped
+    public static class MyBean {
+
+        public void register(@Observes Router router) {
+            router.get("/ping").handler(rc -> {
+                // Do nothing.
+            });
+        }
+
+    }
+}
diff --git a/.../main/java/org/jboss/resteasy/reactive/server/core/startup/RuntimeResourceDeployment.java b/.../main/java/org/jboss/resteasy/reactive/server/core/startup/RuntimeResourceDeployment.java
@@ -527,6 +527,8 @@ private static void smartInitParameterConverter(int i, ParameterConverter quarku
                     Type genericType = genericArguments[0];
                     if (genericType instanceof Class) {
                         genericTypeClassName = ((Class<?>) genericType).getName();
+                    } else if (genericType instanceof ParameterizedType) {
+                        genericTypeClassName = ((ParameterizedType) genericType).getRawType().getTypeName();
                     } else if (genericType instanceof WildcardType) {
                         WildcardType genericTypeWildcardType = (WildcardType) genericType;
                         Type[] upperBounds = genericTypeWildcardType.getUpperBounds();