File _service:obs_scm:CVE-2021-20289.patch of Package resteasy

From 8dbcc5d69b2c077b1174e8cedac20956903e101b Mon Sep 17 00:00:00 2001
From: lingsheng <lingsheng@huawei.com>
Date: Wed, 21 Apr 2021 11:41:47 +0800
Subject: [PATCH] [RESTEASY-2843] Do not add the target type to the thrown
 exception. Instead log it as a debug message.

Fix CVE-2021-20289, backport from https://github.com/resteasy/Resteasy/commit/358777a

---
 .../core/StringParameterInjector.java         | 19 +++++++++++++------
 .../resteasy_jaxrs/i18n/LogMessages.java      |  4 ++++
 .../resteasy_jaxrs/i18n/Messages.java         |  4 ++--
 3 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java
index e50ba88..b7178f6 100755
--- a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java
+++ b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java
@@ -1,6 +1,7 @@
 package org.jboss.resteasy.core;
 
 import org.jboss.resteasy.annotations.StringParameterUnmarshallerBinder;
+import org.jboss.resteasy.resteasy_jaxrs.i18n.LogMessages;
 import org.jboss.resteasy.resteasy_jaxrs.i18n.Messages;
 import org.jboss.resteasy.spi.ResteasyProviderFactory;
 import org.jboss.resteasy.spi.StringConverter;
@@ -296,7 +297,8 @@ public class StringParameterInjector
       }
       catch (Exception e)
       {
-         throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e);
+         LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target);
+         throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e);
       }
       if (paramConverter != null)
       {
@@ -322,11 +324,13 @@ public class StringParameterInjector
          }
          catch (InstantiationException e)
          {
-            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e);
+            LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target);
+            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e);
          }
          catch (IllegalAccessException e)
          {
-            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e);  
+            LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target);
+            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e);  
          }
          catch (InvocationTargetException e)
          {
@@ -335,7 +339,8 @@ public class StringParameterInjector
             {
                throw ((WebApplicationException)targetException);
             }
-            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), targetException);
+            LogMessages.LOGGER.unableToExtractParameter(targetException, getParamSignature(), strVal, target);
+            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), targetException);
          }
       }
       else if (valueOf != null)
@@ -346,7 +351,8 @@ public class StringParameterInjector
          }
          catch (IllegalAccessException e)
          {
-            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), e);
+            LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target);
+            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e);
          }
          catch (InvocationTargetException e)
          {
@@ -355,7 +361,8 @@ public class StringParameterInjector
             {
                throw ((WebApplicationException)targetException);
             }
-            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal, target), targetException);
+            LogMessages.LOGGER.unableToExtractParameter(targetException, getParamSignature(), strVal, target);
+            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), targetException);
          }
       }
       return null;
diff --git a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/LogMessages.java b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/LogMessages.java
index a1c82da..265e632 100644
--- a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/LogMessages.java
+++ b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/LogMessages.java
@@ -1,5 +1,6 @@
 package org.jboss.resteasy.resteasy_jaxrs.i18n;
 
+import java.lang.reflect.AccessibleObject;
 import java.net.URL;
 
 import javax.ws.rs.core.MediaType;
@@ -209,6 +210,9 @@ public interface LogMessages extends BasicLogger
    @Message(id = BASE + 335, value = "Unable to retrieve config: enableSecureProcessingFeature defaults to true")
    void unableToRetrieveConfigSecure();
    
+   @LogMessage(level = Level.DEBUG)
+   @Message("Unable to extract parameter from http request: %s value is '%s' for %s")
+   void unableToExtractParameter(@Cause Throwable cause, String paramSignature, String strVal, AccessibleObject target);
 
    ///////////////////////////////////////////////////////////////////////////////////////////////////////////
    //                                                  TRACE                                                //
diff --git a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/Messages.java b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/Messages.java
index 8a3ca94..472fa30 100644
--- a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/Messages.java
+++ b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/resteasy_jaxrs/i18n/Messages.java
@@ -549,8 +549,8 @@ public interface Messages
    @Message(id = BASE + 865, value = "Unable to determine base class from Type")
    String unableToDetermineBaseClass();
    
-   @Message(id = BASE + 870, value = "Unable to extract parameter from http request: {0} value is '{1}' for {2}", format=Format.MESSAGE_FORMAT)
-   String unableToExtractParameter(String paramSignature, String strVal, AccessibleObject target);
+   @Message(id = BASE + 870, value = "Unable to extract parameter from http request: %s value is '%s'")
+   String unableToExtractParameter(String paramSignature, String strVal);
    
    @Message(id = BASE + 875, value = "Unable to find a constructor that takes a String param or a valueOf() or fromString() method for {0} on {1} for basetype: {2}", format=Format.MESSAGE_FORMAT)
    String unableToFindConstructor(String paramSignature, AccessibleObject target, String className);
-- 
2.23.0