[Rule] java Resteasy - @Consumes annotation at class level

[aleboulanger]

Describe the bug the rule java.jax-rs.security.insecure-resteasy.default-resteasy-provider-abuse is producing a false positive when the @Consumes annotation is set at the class level only.

To Reproduce

package unsafe.jaxrs;

import java.util.*;
import javax.ws.rs.*;
import javax.ws.rs.core.*;

@Path("/")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public class PoC_resource {

    @POST
    @Path("/concat")
    public Map<String, String> doConcat(Pair pair) {
        HashMap<String, String> result = new HashMap<String, String>();
        result.put("Result", pair.getP1() + pair.getP2());
        return result;
    }

}

Expected behavior I expect that if the @Consumes annotation is only present at the class level, we should not have any security issue because it imply that this annotation will be applied to all public method inside the class.

Priority How important is this to you?

• [ ] P0: blocking me from making progress
• [ ] P1: this will block me in the near future
• [x] P2: annoying but not blocking me

Additional Context Add any other context about the problem here.

[aleboulanger]

I missed to add another example which for me is also a false positive

for a GET method, we not consume anything so I expect to not have any security issue there right ?

    @GET
    @Path("/tenantmode")
    @Produces(MediaType.TEXT_PLAIN)
    public String getTenantMode() {
        return kubernetesService.getMessage();
    }

[0xDC0DE]

Hi @aleboulanger, Thanks for sharing these false positives! I'm in the process of fixing them.