[ESBJAVA-5302] Axis Service Null Error is printed in the backend When invoking a REST API Created: 24/Apr/18  Updated: 24/Apr/18

Status: Open
Project: WSO2 ESB
Component/s: None
Affects Version/s: 4.9.0, 5.0.0
Fix Version/s: None

Type: Bug Priority: High
Reporter: Shanika Wickramasinghe Assignee: Chanaka Fernando
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

OS
Linux 16.04
JDK 1.7.0_80


Severity: Major
Estimated Complexity: Moderate
Test cases added: Yes

 Description   

Steps to reproduce
1. Create a sample REST API by logging into ESB Management Console as follows

<api xmlns="http://ws.apache.org/ns/synapse" name="testabc1" context="/abc1">
<resource methods="POST">
<inSequence>
<property name="NO_KEEPALIVE" value="true" scope="axis2" type="STRING"/>
<send>
<endpoint>
<address uri="http://www.mocky.io/v2/5addaa6530000068154b27b3"/>
</endpoint>
</send>
</inSequence>
<outSequence>
<send/>
</outSequence>
<faultSequence>
<sequence key="fault_email_seq"/>
<send/>
</faultSequence>
</resource>
</api>

2. Invoke the API using a curl command
curl -i -X POST -H 'Content-Type: application/json' http://10.100.5.74:8280/abc1

3. WSAddressingHandler configs are enabled inside repository/conf/axis2/axis2.xml

When WSAddressingHandler configs are enabled inside the axis2.xml (ESB_HOME/repository/conf/axis2/axis2.xml) file as follows
<phase name="Addressing">
<handler class="org.apache.axis2.dispatchers.AddressingBasedDispatcher" name="AddressingBasedDispatcher">
<order phase="Addressing"/>
</handler>
<handler class="org.apache.synapse.transport.passthru.util.WSAddressingHandler" name="WSAddressingHandler">
<order phase="Addressing"/>
</handler>
</phase>

Below error will get printed in the backend.

[2018-04-24 15:43:21,395] ERROR - WSAddressingHandler Axis Service is null

By analyzing the code related to WSAddressingHandler found that the reason for the above behavior.
public class WSAddressingHandler extends AbstractHandler {
....
if(messageContext.getAxisService() != null) {
if(messageContext.getAxisService().getParameter("enforceWSAddressing") != null && Boolean.parseBoolean((String)messageContext.getAxisService().getParameter("enforceWSAddressing").getValue()))

{ this.build(messageContext); }

} else

{ log.error("Axis Service is null"); }

....
....
}
Proxy services are considered as Axis2 services and API calls are REST calls and they are not considered as Axis2 services. When a request hits to the ESB, it will go through the handlers. Inside the axis2 handlers we identify whether the request goes to the REST API or to the proxy service. As this is a REST API the axis service variable will be null. So, it will print the ERROR message.

Suggest to handle this issue for REST APIs






[ESBJAVA-5301] Cannot encrypt VFS SFTP Passwords in EI Created: 22/Apr/18  Updated: 22/Apr/18

Status: Open
Project: WSO2 ESB
Component/s: None
Affects Version/s: EI-620
Fix Version/s: None

Type: Improvement Priority: High
Reporter: Lasindu Charith Assignee: Chanaka Fernando
Resolution: Unresolved Votes: 0
Labels: vfs
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

EI 6.2.0


Severity: Major
Estimated Complexity: Moderate
Test cases added: Yes

 Description   

In a scenario where EI reads a set of files from a SFTP location and transform them, write them back to another SFTP location via address endpoint, the SFTP password cannot be encrypted either in synapse configuration nor in registry. This seems to be a limitation in EI.






[ESBJAVA-5300] CGI Generic SQL Injection Created: 18/Apr/18  Updated: 18/Apr/18

Status: Open
Project: WSO2 ESB
Component/s: Carbon Applications
Affects Version/s: EI-610
Fix Version/s: None

Type: Bug Priority: High
Reporter: Chaki Feng Assignee: Chanaka Fernando
Resolution: Unresolved Votes: 0
Labels: ESB
Remaining Estimate: 3 weeks
Time Spent: Not Specified
Original Estimate: 3 weeks
Environment:

operating system


Attachments: Microsoft Word WSO2.docx    
Severity: Major
Estimated Complexity: Moderate
Test cases added: Yes

 Description   

By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, Nessus
was able to get a very different response, which suggests that it may have been able to modify the behavior of the
application and directly access the underlying database.
An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote
database, or even take control of the remote operating system.
Note that this script is experimental and may be prone to false positives.






Generated at Tue Apr 24 17:56:40 IST 2018 using JIRA 7.2.2#72004-sha1:9d5132893cc8c728a3601a9034a1f8547ef5c7be.