[ofbiz-framework] branch release18.12 updated: Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch release18.12 updated: Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new c2d56b7  Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)
c2d56b7 is described below

commit c2d56b70ff7ebb4ad2a61d37006537f6a1b2df1f
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Mon Mar 29 13:13:53 2021 +0200

    Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)
   
    The SOAP and HTTP engines are open doors to security issues.
    At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
    as we did for RMI in the past.
    Of cause it must be clearly documented how to use them if needed.
   
    Here is the email content:
   
        After the recent fix for the CVE-2021-26295[1] we discussed with the security
        team about the opportunity need to comment out the SOAP and HTTP engines
        like we did in the past for RMI[2], this obviously for security reason.
   
        [1] OFBIZ-12167 "Adds a blacklist (to be
        renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
        [2] OFBIZ-6942 "Comment out RMI related
        code because of the Java deserialization issue [CVE-2016-2170] "
   
    I just put a small comment in webtools controller, it should be enough.
   
    The tests pass
---
 framework/common/servicedef/services_test.xml      | 38 +++++++++++-----------
 .../webcommon/WEB-INF/handlers-controller.xml      |  2 +-
 framework/service/config/serviceengine.xml         | 12 +++----
 framework/service/testdef/servicetests.xml         |  2 +-
 .../webapp/webtools/WEB-INF/controller.xml         |  5 +--
 5 files changed, 30 insertions(+), 29 deletions(-)

diff --git a/framework/common/servicedef/services_test.xml b/framework/common/servicedef/services_test.xml
index 2963778..d21e921 100644
--- a/framework/common/servicedef/services_test.xml
+++ b/framework/common/servicedef/services_test.xml
@@ -71,13 +71,13 @@ under the License.
 
     <service name="groupTest" engine="group" location="testGroup" invoke=""/>
 
-    <service name="testHttp" engine="http" location="main-http" invoke="testScv">
+<!--     <service name="testHttp" engine="http" location="main-http" invoke="testScv">
         <description>HTTP service wrapper around the test service</description>
         <attribute name="message" type="String" mode="IN" optional="true"/>
         <attribute name="resp" type="String" mode="OUT"/>
-    </service>
+    </service> -->
 
-    <service name="testSoap" engine="soap" export="true" location="main-soap" invoke="testSOAPScv">
+<!--     <service name="testSoap" engine="soap" export="true" location="main-soap" invoke="testSOAPScv">
         <description>SOAP service; calls the OFBiz test SOAP service</description>
         <implements service="testSOAPScv"/>
     </service>
@@ -87,12 +87,12 @@ under the License.
         <implements service="testScv"/>
     </service>
 
-    <!--  test service for local loopback testing (OFBiz Client SOAP -> OFBiz Server SOAP)  
-        https://ofbiz-vm2.apache.org:8443/webtools/control/SOAPService is the ultimate location for the testRemoteSoap
+     test service for local loopback testing (OFBiz Client SOAP -> OFBiz Server SOAP)
+        https://ofbiz-vm2.apache.org:8443/webtools/control/SOAPService is the ultimate location for the testRemoteSoap
         It's redirected from https://demo-trunk.ofbiz.apache.org/webtools/control/SOAPService by the HTTPD frontend installed by Puppet in the demo server, ie ofbiz-vm2.apache.org
         We could use also http://demo-trunk.ofbiz.apache.org/webtools/control/SOAPService but HSTS would sent it to https anyway
-        So this can be used only against trunk demo and is not in the tests set to avoid a dependency on Internet -->
-    <service name="testRemoteSoap" engine="soap" export="true"
+        So this can be used only against trunk demo and is not in the tests set to avoid a dependency on Internet
+    <service name="testRemoteSoap" engine="soap" export="true"
         location="https://demo-trunk.ofbiz.apache.org/webtools/control/SOAPService"
         invoke="testSoapSimple">
         <attribute name="defaultValue" type="Double" mode="IN" default-value="999.9999"/>
@@ -100,12 +100,12 @@ under the License.
         <attribute name="resp" type="String" mode="OUT"/>
     </service>
 
-    <!-- FIXME For now, not sure why, the 4 remote SOAP services below don't work -->
+    FIXME For now, not sure why, the 4 remote SOAP services below don't work
     
-    <!-- the location = endpoint = SOAP action -->
-    <!-- invoke parameter is the name of the operation to invoke, for example LatLonListZipCode -->
-    <!-- invoke parameter is needed when there are several possible operations for the SOAP action  -->
-    <!-- FIXME For now, not sure why, this remote SOAP service does not work -->
+    the location = endpoint = SOAP action
+    invoke parameter is the name of the operation to invoke, for example LatLonListZipCode
+    invoke parameter is needed when there are several possible operations for the SOAP action
+    FIXME For now, not sure why, this remote SOAP service does not work
     <service name="testRemoteSoap1" engine="soap" export="true"
         location="http://www.weather.gov/forecasts/xml/SOAP_server/ndfdXMLserver.php"
         invoke="LatLonListZipCode">
@@ -118,10 +118,10 @@ under the License.
         <attribute name="result" type="String" mode="OUT"/>
     </service>
     
-    <!-- the location = endpoint = SOAP action -->
-    <!-- invoke parameter is the name of the operation to invoke, for example LatLonListCityNames -->
-    <!-- invoke parameter is needed when there are several possible operations for the SOAP action  -->
-    <!-- FIXME For now, not sure why, this remote SOAP service does not work -->
+    the location = endpoint = SOAP action
+    invoke parameter is the name of the operation to invoke, for example LatLonListCityNames
+    invoke parameter is needed when there are several possible operations for the SOAP action
+    FIXME For now, not sure why, this remote SOAP service does not work
     <service name="testRemoteSoap2" engine="soap" export="true"
         location="http://www.weather.gov/forecasts/xml/SOAP_server/ndfdXMLserver.php"
         invoke="LatLonListCityNames">
@@ -134,7 +134,7 @@ under the License.
         <attribute name="result" type="String" mode="OUT"/>
     </service>
 
-    <!-- FIXME For now, not sure why, this remote SOAP service does not work -->
+    FIXME For now, not sure why, this remote SOAP service does not work
     <service name="testRemoteSoap3" engine="soap" export="true"
         location="http://www.restfulwebservices.net/wcf/EmailValidationService.svc"
         invoke="EmailValidationService">
@@ -143,13 +143,13 @@ under the License.
         <attribute name="result" type="String" mode="OUT"/>
     </service>
     
-    <!-- FIXME For now, not sure why, this remote SOAP service does not work -->
+    FIXME For now, not sure why, this remote SOAP service does not work
     <service name="testRemoteSoap4" engine="soap" export="true"
         location="http://www.webservicex.net/geoipservice.asmx"
         invoke="GetGeoIPContext">
         <attribute name="invoke" type="String" mode="IN" />
         <attribute name="result" type="String" mode="OUT"/>
-    </service>
+    </service> -->
 
     <service name="testGroovy" engine="groovy" location="component://common/groovyScripts/GroovyServiceTest.groovy" invoke="">
         <description>Test Groovy Script Service</description>
diff --git a/framework/common/webcommon/WEB-INF/handlers-controller.xml b/framework/common/webcommon/WEB-INF/handlers-controller.xml
index be21b19..0be248b 100644
--- a/framework/common/webcommon/WEB-INF/handlers-controller.xml
+++ b/framework/common/webcommon/WEB-INF/handlers-controller.xml
@@ -24,7 +24,7 @@ under the License.
 
     <!-- event handlers -->
     <handler name="java" type="request" class="org.apache.ofbiz.webapp.event.JavaEventHandler"/>
-    <handler name="soap" type="request" class="org.apache.ofbiz.webapp.event.SOAPEventHandler"/>
+    <!-- <handler name="soap" type="request" class="org.apache.ofbiz.webapp.event.SOAPEventHandler"/> -->
     <handler name="xmlrpc" type="request" class="org.apache.ofbiz.webapp.event.XmlRpcEventHandler"/>
     <handler name="service" type="request" class="org.apache.ofbiz.webapp.event.ServiceEventHandler"/>
     <handler name="service-multi" type="request" class="org.apache.ofbiz.webapp.event.ServiceMultiEventHandler"/>
diff --git a/framework/service/config/serviceengine.xml b/framework/service/config/serviceengine.xml
index dcd1a80..96bf1e4 100644
--- a/framework/service/config/serviceengine.xml
+++ b/framework/service/config/serviceengine.xml
@@ -52,10 +52,10 @@ under the License.
         <engine name="javascript" class="org.apache.ofbiz.service.engine.ScriptEngine"/>
         <!--  -->
         <engine name="route" class="org.apache.ofbiz.service.engine.RouteEngine"/>
-        <engine name="http" class="org.apache.ofbiz.service.engine.HttpEngine"/>
+        <!-- <engine name="http" class="org.apache.ofbiz.service.engine.HttpEngine"/> -->
         <engine name="jms" class="org.apache.ofbiz.service.jms.JmsServiceEngine"/>
         <engine name="rmi" class="org.apache.ofbiz.service.rmi.RmiServiceEngine"/>
-        <engine name="soap" class="org.apache.ofbiz.service.engine.SOAPClientEngine"/>
+        <!-- <engine name="soap" class="org.apache.ofbiz.service.engine.SOAPClientEngine"/> -->
         <!-- The engine xml-rpc-local is only used by a test service and for this reason it is configured to run on port 8080.
              In order to use this in OFBiz change the port accordingly (for demo the default value is 8080)
         -->
@@ -66,14 +66,14 @@ under the License.
         </engine>
 
         <service-location name="main-rmi" location="rmi://localhost:1099/RMIDispatcher"/>
-        <service-location name="main-http" location="http://localhost:8080/webtools/control/httpService"/>
-        <service-location name="main-soap" location="http://localhost:8080/webtools/control/SOAPService"/>
+        <!-- <service-location name="main-http" location="http://localhost:8080/webtools/control/httpService"/>
+        <service-location name="main-soap" location="http://localhost:8080/webtools/control/SOAPService"/> -->
         
         <service-location name="entity-sync-rmi" location="rmi://localhost:1099/RMIDispatcher"/>
-        <service-location name="entity-sync-http" location="https://localhost:8443/webtools/control/httpService"/>
+        <!-- <service-location name="entity-sync-http" location="https://localhost:8443/webtools/control/httpService"/> -->
 
         <service-location name="rita-rmi" location="rmi://localhost:1099/RMIDispatcher"/>
-        <service-location name="eedcc-test" location="https://localhost:8443/webtools/control/httpService"/>
+        <!-- <service-location name="eedcc-test" location="https://localhost:8443/webtools/control/httpService"/> -->
 
         <!-- default notification group for all services loaded with 'main' loader
              - uncomment this to enable error notification for all services
diff --git a/framework/service/testdef/servicetests.xml b/framework/service/testdef/servicetests.xml
index 5238bce..2f9b76f 100644
--- a/framework/service/testdef/servicetests.xml
+++ b/framework/service/testdef/servicetests.xml
@@ -22,7 +22,7 @@ under the License.
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:noNamespaceSchemaLocation="http://ofbiz.apache.org/dtds/test-suite.xsd">
     <test-case case-name="service-tests"><junit-test-suite class-name="org.apache.ofbiz.service.test.ServiceEngineTests"/></test-case>
-    <test-case case-name="service-soap-tests"><junit-test-suite class-name="org.apache.ofbiz.service.test.ServiceSOAPTests"/></test-case>
+    <!-- <test-case case-name="service-soap-tests"><junit-test-suite class-name="org.apache.ofbiz.service.test.ServiceSOAPTests"/></test-case> -->
     <test-case case-name="service-entity-auto-tests"><junit-test-suite class-name="org.apache.ofbiz.service.test.ServiceEntityAutoTests"/></test-case>
 
     <test-case case-name="load-service-test-data">
diff --git a/framework/webtools/webapp/webtools/WEB-INF/controller.xml b/framework/webtools/webapp/webtools/WEB-INF/controller.xml
index e0a5304..fe58a78 100644
--- a/framework/webtools/webapp/webtools/WEB-INF/controller.xml
+++ b/framework/webtools/webapp/webtools/WEB-INF/controller.xml
@@ -43,7 +43,8 @@ under the License.
     <!-- Request Mappings -->
 
     <!-- Begin Utility Requests -->
-    <request-map uri="httpService">
+    <!-- The 2 services below have been commented out for security reason, see OFBIZ-12212  -->
+    <!-- <request-map uri="httpService">
         <event type="java" path="org.apache.ofbiz.service.engine.HttpEngine" invoke="httpEngine"/>
         <response name="success" type="none"/>
         <response name="error" type="none"/>
@@ -53,7 +54,7 @@ under the License.
         <event type="soap"/>
         <response name="error" type="none"/>
         <response name="success" type="none"/>
-    </request-map>
+    </request-map> -->
     <request-map uri="xmlrpc" track-serverhit="false" track-visit="false">
         <security auth="true"/>
         <event type="xmlrpc"/>