Merge pull request #5813 from geoand/#5763

gsmet · web-flow · commit a2f66026f55b · 2019-11-27T21:52:18.000+01:00
Fix security issue related to the inclusion of annotations on secured method parameters
diff --git a/extensions/security/deployment/src/main/java/io/quarkus/security/deployment/SecurityProcessor.java b/extensions/security/deployment/src/main/java/io/quarkus/security/deployment/SecurityProcessor.java
@@ -199,7 +199,7 @@ private ResultHandle paramTypes(MethodCreator ctor, List<Type> parameters) {
         ResultHandle result = ctor.newArray(String.class, ctor.load(parameters.size()));
 
         for (int i = 0; i < parameters.size(); i++) {
-            ctor.writeArrayValue(result, i, ctor.load(parameters.get(i).toString()));
+            ctor.writeArrayValue(result, i, ctor.load(parameters.get(i).name().toString()));
         }
 
         return result;
diff --git a/integration-tests/main/src/main/java/io/quarkus/it/rest/RBACSecuredResource.java b/integration-tests/main/src/main/java/io/quarkus/it/rest/RBACSecuredResource.java
@@ -4,8 +4,12 @@
 import javax.annotation.security.PermitAll;
 import javax.annotation.security.RolesAllowed;
 import javax.inject.Inject;
+import javax.validation.Valid;
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.SecurityContext;
+import javax.ws.rs.core.UriInfo;
 
 import io.quarkus.security.Authenticated;
 
@@ -25,6 +29,14 @@ public String forTesterOnly() {
         return "forTesterOnly";
     }
 
+    @GET
+    @RolesAllowed("tester")
+    @Path("forTesterOnlyWithMethodParamAnnotations")
+    public String forTesterOnlyWithMethodParamAnnotations(@Context SecurityContext ctx, @Context UriInfo uriInfo,
+            @Valid String message) {
+        return "forTesterOnlyWithMethodParamAnnotations";
+    }
+
     @GET
     @DenyAll
     @Path("denied")
diff --git a/integration-tests/main/src/test/java/io/quarkus/it/main/RBACAccessTest.java b/integration-tests/main/src/test/java/io/quarkus/it/main/RBACAccessTest.java
@@ -25,6 +25,15 @@ public void shouldRestrictAccessToSpecificRole() {
                 Optional.of("forTesterOnly"));
     }
 
+    @Test
+    public void shouldRestrictAccessToSpecificRoleAndMethodParameterAnnotationsShouldntAffectAnything() {
+        String path = "/rbac-secured/forTesterOnlyWithMethodParamAnnotations";
+        assertForAnonymous(path, 401, Optional.empty());
+        assertStatusAndContent(RestAssured.given().auth().preemptive().basic("stuart", "test"), path, 403, Optional.empty());
+        assertStatusAndContent(RestAssured.given().auth().preemptive().basic("scott", "jb0ss"), path, 200,
+                Optional.of("forTesterOnlyWithMethodParamAnnotations"));
+    }
+
     @Test
     public void shouldFailToAccessForbidden() {
         assertForAnonymous("/rbac-secured/denied", 401, Optional.empty());

Original file line number	Diff line number	Diff line change
`@@ -199,7 +199,7 @@ private ResultHandle paramTypes(MethodCreator ctor, List<Type> parameters) {`
`199`	`199`	`ResultHandle result = ctor.newArray(String.class, ctor.load(parameters.size()));`
`200`	`200`
`201`	`201`	`for (int i = 0; i < parameters.size(); i++) {`
`202`		`- ctor.writeArrayValue(result, i, ctor.load(parameters.get(i).toString()));`
	`202`	`+ ctor.writeArrayValue(result, i, ctor.load(parameters.get(i).name().toString()));`
`203`	`203`	`}`
`204`	`204`
`205`	`205`	`return result;`