From f31efb7adc3525190e14c315815f6cfdbee4b074 Mon Sep 17 00:00:00 2001
From: Erik Merkle <erik.merkle@datastax.com>
Date: Wed, 17 Feb 2021 14:54:36 -0600
Subject: [PATCH] Update RestEasy libs to address CVEs

---
 management-api-server/pom.xml                 |  4 +-
 .../datastax/mgmtapi/NettyJaxrsIPCServer.java | 38 +++++++++----------
 .../datastax/mgmtapi/NettyJaxrsTLSServer.java | 33 ++++++++--------
 3 files changed, 38 insertions(+), 37 deletions(-)

diff --git a/management-api-server/pom.xml b/management-api-server/pom.xml
index a772fcea..66072182 100644
--- a/management-api-server/pom.xml
+++ b/management-api-server/pom.xml
@@ -25,8 +25,8 @@
         <rsapi.version>2.1.1</rsapi.version>
         <guava.version>19.0</guava.version>
         <airline.version>2.7.0</airline.version>
-        <jaxrs.version>2.0.8</jaxrs.version>
-        <resteasy.version>4.0.0.Final</resteasy.version>
+        <jaxrs.version>2.1.6</jaxrs.version>
+        <resteasy.version>4.5.9.Final</resteasy.version>
         <netty.version>4.1.50.Final</netty.version>
         <driver.version>4.10.0</driver.version>
         <cassandra.version>3.11.5</cassandra.version>
diff --git a/management-api-server/src/main/java/com/datastax/mgmtapi/NettyJaxrsIPCServer.java b/management-api-server/src/main/java/com/datastax/mgmtapi/NettyJaxrsIPCServer.java
index 1eab9e5e..65104189 100644
--- a/management-api-server/src/main/java/com/datastax/mgmtapi/NettyJaxrsIPCServer.java
+++ b/management-api-server/src/main/java/com/datastax/mgmtapi/NettyJaxrsIPCServer.java
@@ -12,8 +12,6 @@
 import java.util.Map;
 import java.util.concurrent.atomic.AtomicReference;
 
-import javax.ws.rs.ApplicationPath;
-
 import com.datastax.mgmtapi.ipc.IPCController;
 import io.netty.channel.Channel;
 import io.netty.channel.ChannelHandler;
@@ -30,6 +28,7 @@
 import org.jboss.resteasy.plugins.server.netty.RequestHandler;
 import org.jboss.resteasy.plugins.server.netty.RestEasyHttpRequestDecoder;
 import org.jboss.resteasy.plugins.server.netty.RestEasyHttpResponseEncoder;
+import org.jboss.resteasy.util.EmbeddedServerHelper;
 
 public class NettyJaxrsIPCServer extends NettyJaxrsServer
 {
@@ -40,11 +39,13 @@ public class NettyJaxrsIPCServer extends NettyJaxrsServer
     private Map<ChannelOption, Object> channelOptions = Collections.emptyMap();
     private List<ChannelHandler> httpChannelHandlers = Collections.emptyList();
 
-    private int maxRequestSize = 1024 * 1024 * 10;
-    private int maxInitialLineLength = 4096;
-    private int maxHeaderSize = 8192;
-    private int maxChunkSize = 8192;
-    private int idleTimeout = 60;
+    private final int maxRequestSize = 1024 * 1024 * 10;
+    private final int maxInitialLineLength = 4096;
+    private final int maxHeaderSize = 8192;
+    private final int maxChunkSize = 8192;
+    private final int idleTimeout = 60;
+    // From the internals of Resteasy
+    private final EmbeddedServerHelper serverHelper = new EmbeddedServerHelper();
 
     public NettyJaxrsIPCServer(EventLoopGroup eventLoopGroup, File socketFile)
     {
@@ -53,23 +54,25 @@ public NettyJaxrsIPCServer(EventLoopGroup eventLoopGroup, File socketFile)
     }
 
     @Override
-    public void setChannelOptions(final Map<ChannelOption, Object> channelOptions) {
+    public NettyJaxrsServer setChannelOptions(final Map<ChannelOption, Object> channelOptions) {
         this.channelOptions = channelOptions == null ? Collections.<ChannelOption, Object>emptyMap() : channelOptions;
+        return this;
     }
 
     @Override
-    public void setHttpChannelHandlers(final List<ChannelHandler> httpChannelHandlers) {
+    public NettyJaxrsServer setHttpChannelHandlers(final List<ChannelHandler> httpChannelHandlers) {
         this.httpChannelHandlers = httpChannelHandlers == null ? Collections.<ChannelHandler>emptyList() : httpChannelHandlers;
+        return this;
     }
 
     @Override
-    public void start()
+    public NettyJaxrsServer start()
     {
         synchronized (activeServerRef)
         {
             IPCController activeServer = activeServerRef.get();
             if (activeServer != null && activeServer.isActive())
-                return;
+                return this;
 
             if (activeServer != null)
             {
@@ -77,16 +80,12 @@ public void start()
             }
             else
             {
-                deployment.start();
+                serverHelper.checkDeployment(deployment);
 
                 // dynamically set the root path (the user can rewrite it by calling setRootResourcePath)
-                if (deployment.getApplication() != null) {
-                    ApplicationPath appPath = deployment.getApplication().getClass().getAnnotation(ApplicationPath.class);
-                    if (appPath != null && (root == null || "".equals(root))) {
-                        // annotation is present and original root is not set
-                        String path = appPath.value();
-                        setRootResourcePath(path);
-                    }
+                String appPath = serverHelper.checkAppDeployment(deployment);
+                if (appPath != null && (root == null || "".equals(root))) {
+                  setRootResourcePath(appPath);
                 }
 
                 activeServer = IPCController.newServer()
@@ -106,6 +105,7 @@ protected void initChannel(Channel ch) throws Exception
                 assert b : "Already active";
             }
         }
+        return this;
     }
 
     @Override
diff --git a/management-api-server/src/main/java/com/datastax/mgmtapi/NettyJaxrsTLSServer.java b/management-api-server/src/main/java/com/datastax/mgmtapi/NettyJaxrsTLSServer.java
index 985bc0b0..eb9a5058 100644
--- a/management-api-server/src/main/java/com/datastax/mgmtapi/NettyJaxrsTLSServer.java
+++ b/management-api-server/src/main/java/com/datastax/mgmtapi/NettyJaxrsTLSServer.java
@@ -8,7 +8,6 @@
 import java.net.InetSocketAddress;
 import java.util.Collections;
 import java.util.Map;
-import javax.ws.rs.ApplicationPath;
 
 import io.netty.channel.Channel;
 import io.netty.channel.ChannelInitializer;
@@ -27,34 +26,35 @@
 import org.jboss.resteasy.plugins.server.netty.RequestHandler;
 import org.jboss.resteasy.plugins.server.netty.RestEasyHttpRequestDecoder;
 import org.jboss.resteasy.plugins.server.netty.RestEasyHttpResponseEncoder;
+import org.jboss.resteasy.util.EmbeddedServerHelper;
 
 public class NettyJaxrsTLSServer extends NettyJaxrsServer
 {
     private final SslContext sslContext;
     private final EventLoopGroup eventLoopGroup = new NioEventLoopGroup(2);
-    private Map<ChannelOption, Object> channelOptions = Collections.emptyMap();
-    private int maxRequestSize = 1024 * 1024 * 10;
-    private int maxInitialLineLength = 4096;
-    private int maxHeaderSize = 8192;
-    private int maxChunkSize = 8192;
-    private int idleTimeout = 60;
+    private final Map<ChannelOption, Object> channelOptions = Collections.emptyMap();
+    private final int maxRequestSize = 1024 * 1024 * 10;
+    private final int maxInitialLineLength = 4096;
+    private final int maxHeaderSize = 8192;
+    private final int maxChunkSize = 8192;
+    private final int idleTimeout = 60;
+    // From the internals of Resteasy
+    private final EmbeddedServerHelper serverHelper = new EmbeddedServerHelper();
 
     public NettyJaxrsTLSServer(SslContext sslContext)
     {
         this.sslContext = sslContext;
     }
 
-    public void start() {
-        deployment.start();
+    @Override
+    public NettyJaxrsServer start() {
+        serverHelper.checkDeployment(deployment);
         // dynamically set the root path (the user can rewrite it by calling setRootResourcePath)
-        if (deployment.getApplication() != null) {
-            ApplicationPath appPath = deployment.getApplication().getClass().getAnnotation(ApplicationPath.class);
-            if (appPath != null && (root == null || "".equals(root))) {
-                // annotation is present and original root is not set
-                String path = appPath.value();
-                setRootResourcePath(path);
-            }
+        String appPath = serverHelper.checkAppDeployment(deployment);
+        if (appPath != null && (root == null || "".equals(root))) {
+            setRootResourcePath(appPath);
         }
+
         // Configure the server.
         bootstrap.group(eventLoopGroup)
                 .channel(NioServerSocketChannel.class)
@@ -82,6 +82,7 @@ protected void initChannel(Channel ch) throws Exception
 
         Channel channel = bootstrap.bind(socketAddress).syncUninterruptibly().channel();
         runtimePort = ((InetSocketAddress) channel.localAddress()).getPort();
+        return this;
     }
 
     protected void setupHandlers(Channel ch, RequestDispatcher dispatcher, RestEasyHttpRequestDecoder.Protocol protocol) {