Merge pull request #36443 from gsmet/2.16.12-backports-1

2.16.12 backports 1
quarkusio · Oct 13, 2023 · d41313f · d41313f
2 parents 639a059 + 9ef30a4
commit d41313f
Show file tree

Hide file tree

Showing 3 changed files with 116 additions and 5 deletions.
diff --git a/bom/application/pom.xml b/bom/application/pom.xml
@@ -19,7 +19,7 @@
         <bouncycastle.tls.fips.version>1.0.14</bouncycastle.tls.fips.version>
         <findbugs.version>3.0.2</findbugs.version>
         <jandex.version>3.0.5</jandex.version>
-        <resteasy.version>4.7.7.Final</resteasy.version>
+        <resteasy.version>4.7.9.Final</resteasy.version>
         <opentracing.version>0.33.0</opentracing.version>
         <opentracing-jdbc.version>0.2.4</opentracing-jdbc.version>
         <opentracing-kafka.version>0.1.15</opentracing-kafka.version>
@@ -138,14 +138,14 @@
         <infinispan.version>14.0.6.Final</infinispan.version>
         <infinispan.protostream.version>4.5.1.Final</infinispan.protostream.version>
         <caffeine.version>3.1.1</caffeine.version>
-        <netty.version>4.1.94.Final</netty.version>
+        <netty.version>4.1.100.Final</netty.version>
         <brotli4j.version>1.12.0</brotli4j.version>
         <reactive-streams.version>1.0.3</reactive-streams.version>
         <jboss-logging.version>3.5.0.Final</jboss-logging.version>
         <mutiny.version>1.9.0</mutiny.version>
         <kafka3.version>3.3.2</kafka3.version>
         <lz4.version>1.8.0</lz4.version> <!-- dependency of the kafka-clients that could be overridden by other imported BOMs in the platform -->
-        <snappy.version>1.1.10.1</snappy.version>
+        <snappy.version>1.1.10.5</snappy.version>
         <strimzi-test-container.version>0.100.0</strimzi-test-container.version>
         <!-- Scala is used by Kafka so we need to choose a compatible version -->
         <scala.version>2.13.10</scala.version>
@@ -197,7 +197,7 @@
         <log4j2-jboss-logmanager.version>1.1.1.Final</log4j2-jboss-logmanager.version>
         <log4j2-api.version>2.19.0</log4j2-api.version>
         <log4j-jboss-logmanager.version>1.3.0.Final</log4j-jboss-logmanager.version>
-        <avro.version>1.11.1</avro.version>
+        <avro.version>1.11.3</avro.version>
         <apicurio-registry.version>2.3.1.Final</apicurio-registry.version>
         <apicurio-common-rest-client.version>0.1.13.Final</apicurio-common-rest-client.version> <!-- must be the version Apicurio Registry uses -->
         <jacoco.version>0.8.8</jacoco.version>

diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcJsonWebTokenProducer.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcJsonWebTokenProducer.java
@@ -79,7 +79,9 @@ private JsonWebToken getTokenCredential(Class<? extends TokenCredential> type) {
             return new OidcJwtCallerPrincipal(jwtClaims, credential);
         }
         String tokenType = type == AccessTokenCredential.class ? "access" : "ID";
-        LOG.tracef("Current identity is not associated with an %s token", tokenType);
+        LOG.warnf(
+                "Identity is not associated with an %s token. Access 'JsonWebToken' with '@IdToken' qualifier if ID token is required and 'JsonWebToken' without this qualifier when JWT access token is required. Inject either 'io.quarkus.security.identity.SecurityIdentity' or 'io.quarkus.oidc.UserInfo' if you need to have the same endpoint code working for both authorization code and bearer token authentication flows.",
+                tokenType);
         return new NullJsonWebToken();
     }
 }
diff --git a/...ttp/deployment/src/test/java/io/quarkus/vertx/http/http2/Http2RSTFloodProtectionTest.java b/...ttp/deployment/src/test/java/io/quarkus/vertx/http/http2/Http2RSTFloodProtectionTest.java
@@ -0,0 +1,109 @@
+package io.quarkus.vertx.http.http2;
+
+import static io.vertx.core.http.HttpMethod.GET;
+import static org.junit.jupiter.api.Assertions.fail;
+
+import java.io.File;
+import java.net.URL;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.TimeUnit;
+
+import javax.enterprise.context.ApplicationScoped;
+import javax.enterprise.event.Observes;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Assumptions;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusUnitTest;
+import io.quarkus.test.common.http.TestHTTPResource;
+import io.quarkus.vertx.core.runtime.VertxCoreRecorder;
+import io.vertx.core.http.HttpClient;
+import io.vertx.core.http.HttpClientOptions;
+import io.vertx.core.http.HttpClientRequest;
+import io.vertx.core.http.HttpVersion;
+import io.vertx.core.net.JdkSSLEngineOptions;
+import io.vertx.ext.web.Router;
+
+/**
+ * Reproduce CVE-2023-44487.
+ */
+public class Http2RSTFloodProtectionTest {
+
+    @TestHTTPResource(value = "/ping", ssl = true)
+    URL sslUrl;
+
+    @TestHTTPResource(value = "/ping")
+    URL url;
+
+    @RegisterExtension
+    static final QuarkusUnitTest config = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addClasses(MyBean.class)
+                    .addAsResource(new File("src/test/resources/conf/ssl-jks.conf"), "application.properties")
+                    .addAsResource(new File("src/test/resources/conf/server-keystore.jks"), "server-keystore.jks"));
+
+    @Test
+    void testRstFloodProtectionWithTlsEnabled() throws Exception {
+        Assumptions.assumeTrue(JdkSSLEngineOptions.isAlpnAvailable()); //don't run on JDK8
+        HttpClientOptions options = new HttpClientOptions()
+                .setUseAlpn(true)
+                .setProtocolVersion(HttpVersion.HTTP_2)
+                .setSsl(true)
+                .setTrustAll(true);
+
+        var client = VertxCoreRecorder.getVertx().get().createHttpClient(options);
+        int port = sslUrl.getPort();
+        run(client, port, false);
+    }
+
+    @Test
+    public void testRstFloodProtection() throws InterruptedException {
+        HttpClientOptions options = new HttpClientOptions()
+                .setProtocolVersion(HttpVersion.HTTP_2)
+                .setHttp2ClearTextUpgrade(true);
+        var client = VertxCoreRecorder.getVertx().get().createHttpClient(options);
+        run(client, url.getPort(), true);
+    }
+
+    void run(HttpClient client, int port, boolean plain) throws InterruptedException {
+        CountDownLatch latch = new CountDownLatch(1);
+        client.connectionHandler(conn -> {
+            conn.closeHandler(v -> {
+                latch.countDown();
+            });
+            conn.goAwayHandler(ga -> {
+                Assertions.assertEquals(11, ga.getErrorCode());
+                latch.countDown();
+            });
+        });
+
+        if (plain) {
+            // Emit a first request to establish a connection.
+            // It's HTTP/1 so, does not count in the number of requests.
+            client.request(GET, port, "localhost", "/ping")
+                    .compose(HttpClientRequest::send);
+        }
+
+        for (int i = 0; i < 250; i++) { // must be higher thant the NEtty limit (200 / 30s)
+            client.request(GET, port, "localhost", "/ping")
+                    .onSuccess(req -> req.end().onComplete(v -> req.reset()));
+        }
+
+        if (!latch.await(10, TimeUnit.SECONDS)) {
+            fail("RST flood protection failed");
+        }
+    }
+
+    @ApplicationScoped
+    public static class MyBean {
+
+        public void register(@Observes Router router) {
+            router.get("/ping").handler(rc -> {
+                // Do nothing.
+            });
+        }
+
+    }
+}