Payara icon indicating copy to clipboard operation
Payara copied to clipboard

Published 20 hours ago verified publisher icon payara

Bug Report: Unable to completely disable openapi and wadl

Open sanchezfauste opened this issue 9 months ago • 0 comments

Brief Summary

I'm trying to completely disable openapi and wadl using this asadmin command:

set-openapi-configuration --enabled=false

But wadl endpoints are not disabled correctly and openapi endpoint is giving error 403 instead of 404.

Expected Outcome

If I disable openapi the expected behaviour is that all openapi paths return a 404 error. These paths must not exist if openapi feature is disabled:

GET     /openapi/
GET     /openapi/application.wadl
GET     /v1/application.wadl

I think that actual 403 error is giving to much information in terms of security. An attacker can know that we are using Payara Micro.

Current Outcome

openapi endpoint:

GET /openapi

Gives:

<html xmlns="http://www.w3.org/1999/xhtml">
    <body>
        <h1>HTTP Status 403 - MicroProfile OpenAPI Service is disabled.</h1>
        <hr/>
        <p>
            <b>type</b>
            Status report
        </p>
        <p>
            <b>message</b>
            MicroProfile OpenAPI Service is disabled.
        </p>
        <p>
            <b>description</b>
            Access to the specified resource has been forbidden.
        </p>
        <hr/>
        <h3>Payara Micro #badassfish</h3>
    </body>
</html>

wadl endpoint:

GET /openapi/application.wadl

Gives:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<application xmlns="http://wadl.dev.java.net/2009/02">
    <doc xmlns:jersey="http://jersey.java.net/" jersey:generatedBy="Jersey: 3.1.5.payara-p1 2024-02-06 13:28:35"/>
    <doc xmlns:jersey="http://jersey.java.net/" jersey:hint="This is simplified WADL with user and core resources only. To get full WADL with extended resources use the query parameter detail. Link: http://****/openapi/application.wadl?detail=true"/>
    <grammars/>
    <resources base="http://****/openapi/">
        <resource path="/">
            <method id="getResponse" name="GET">
                <response>
                    <representation mediaType="text/plain"/>
                    <representation mediaType="application/json"/>
                </response>
            </method>
        </resource>
    </resources>
</application>

And application wadl:

GET /v1/application.wadl

Is giving error 500:

java.lang.NullPointerException: Cannot invoke "org.glassfish.jersey.server.wadl.WadlApplicationContext.isWadlGenerationEnabled()" because "this.wadlContext" is null

Reproducer

I'm trying to completely disable openapi and wadl using --prebootcommandfile with this asadmin command:

set-openapi-configuration --enabled=false

And disabling wadl on application:

import jakarta.ws.rs.ApplicationPath;
import jakarta.ws.rs.core.Application;
import org.glassfish.jersey.server.ServerProperties;

import java.util.Map;

@ApplicationPath("v1")
public class ApplicationConfig extends Application {
    @Override
    public Map<String, Object> getProperties() {
        return Map.of(
                ServerProperties.WADL_FEATURE_DISABLE, "true"
        );
    }
}

Operating System

Ubuntu 22.04.4 LTS

JDK Version

Zulu17.48+15-CA (build 17.0.10+7-LTS)

Payara Distribution

Payara Micro

sanchezfauste avatar May 14 '24 07:05 sanchezfauste