WireMock 2.16.0 released [SECURITY UPDATE INCLUDED]

[Tom Akehurst]

WireMock 2.16.0 contains fixes for three vulnerabilities, and it is highly recommended that you upgrade to this version if you are running WireMock on a server:

• Ability to retrieve files outside the file root by constructing URLs containing .. e.g. /../../secret/my-file.txt
• Ability to execute remote code via inclusion of remote DTD documents when using XPath or XML matching
• Ability to cause a CPU saturation denial of service via inclusion of remote DTD documents when using XPath or XML matching

Big thanks to Aaron Devaney for finding these and helping me to create valid tests. CVE numbers will be generated and published here in due course.

Other changes in this release:

• Ability to use transformer parameters from within a response template - thanks bduisenov
• Response bodies read from files are now streamed rather than being loaded into memory, improving latency and memory utilisation - thanks Dan Ebert
• Switched the rule to use an InheritableThreadLocal to avoid breaking in JUnit tests with timeouts - thanks Jason Leezer
• Added the ability to specify a map of query parameters when stubbing - thanks Bryant Baird
• Show the actual, rather than requested port when running from the CLI, so that the port can be randomised - thanks Nico Schoenmaker
• Added an option to disable the banner when running standalone - thanks Jim Ma
• Added a workaround for a Jetty bug that throws an exception when an empty multipart request body is sent

[Kevin Ward]

Hi Tom,

Wasn't sure whether this constitutes as a issue on GitHub but noticed this post which seemed relevant. 

I've recently been trying to upgrade the version of jackson within wiremock 2.16.0 (as well as zjsonpatch) due a several vulnerabilities associated with databind and core (before 2.8.11.1 and 2.9.x before 2.9.5).                              

 

Modifying the current version of zjsonpatch to latest version causes a test failure in the EqualToJsonTest:

com.github.tomakehurst.wiremock.matching.EqualToJsonTest > ignoresExtraObjectAttributesAndArrayOrderWhenConfigured FAILED
    java.lang.AssertionError
        at org.junit.Assert.fail(Assert.java:86)
        at org.junit.Assert.assertTrue(Assert.java:41)
        at org.junit.Assert.assertTrue(Assert.java:52)
        at com.github.tomakehurst.wiremock.matching.EqualToJsonTest.ignoresExtraObjectAttributesAndArrayOrderWhenConfigured(EqualToJsonTest.java:259)

I've tried my best to resolve the issue but it seems that something has changed within zjsonpatch from version 0.3.0 onwards which causes this condition to fail each time. I would rather not remove test to get the wiremock to build as I recognise there are additional tests which must validate the handling of JSON.

- Any ideas of what is causing this test to fail now?

- Will you be upgrading the version of zjsonpatch and jackson in the future?

For interest, I would recommend using synk.io as it will keep you notified of vulnerabilities associated with your repository. Completely at your discretion of whether you want to resolve the issues or not, but from a security perspective it is useful to know. I've included some links below of the high issues associated with jackson databind and core.

https://snyk.io/test

https://snyk.io/test/github/tomakehurst/wiremock?severity=high&severity=medium&severity=low

https://nvd.nist.gov/vuln/search/results?adv_search=true&cves=on&cpe_version=cpe%3a%2fa%3afasterxml%3ajackson-databind%3a2.8.9

Lastly, appreciate all the hard work that has gone into wiremock and I think its an excellent tool.                         

Many thanks

Kevin

[Tom Akehurst]

Thanks for pointing this out. Been meaning to check out snyk.io more thoroughly for a while. It was very new and a bit sparsely populated when I last looked.

I had a quick look at the test case you've highlighted a while back and couldn't find a quick remedy IIRC, so unfortunately it's been relegated to the back burner. Likewise an attempt at upgrading to Jackson 2.9.x broke a whole load of tests, so it's been put in the "when there's more time" pile.

I may have some decent sized blocks of time of over the next couple of weeks, so I'll try to dig into these issues.