Details
Critical Description
Currently, Connect REST API exposes WADL output on OPTIONS method:
curl -i -X OPTIONS http://localhost:8083/connectors HTTP/1.1 200 OK Date: Fri, 07 Dec 2018 22:51:53 GMT Content-Type: application/vnd.sun.wadl+xml Allow: HEAD,POST,GET,OPTIONS Last-Modified: Fri, 07 Dec 2018 14:51:53 PST Content-Length: 1331 Server: Jetty(9.4.12.v20180830) <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <application xmlns="http://wadl.dev.java.net/2009/02"> <doc xmlns:jersey="http://jersey.java.net/" jersey:generatedBy="Jersey: 2.27 2018-04-10 07:34:57"/> <grammars> <include href="http://localhost:8083/application.wadl/xsd0.xsd"> <doc title="Generated" xml:lang="en"/> </include> </grammars> <resources base="http://localhost:8083/"> <resource path="connectors"> <method id="createConnector" name="POST"> <request> <param xmlns:xs="http://www.w3.org/2001/XMLSchema" name="forward" style="query" type="xs:boolean"/> <representation mediaType="application/json"/> </request> <response> <representation mediaType="application/json"/> </response> </method> <method id="listConnectors" name="GET"> <request> <param xmlns:xs="http://www.w3.org/2001/XMLSchema" name="forward" style="query" type="xs:boolean"/> </request> <response> <representation mediaType="application/json"/> </response> </method> </resource> </resources> </application>
This can be a potential vulnerability, so it makes sense to have a configuration parameter, which disables WADL output.
Attachments
Attachments
Issue Links
- links to