This is an automated email from the ASF dual-hosted git repository. robertlazarski pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-core.git
commit 2d702f48ed7244b217ed8a5e22939fa121963b43 Author: Robert Lazarski <[email protected]> AuthorDate: Mon Jun 1 09:57:13 2026 -1000 Rewrite AGENTS.md to prioritize JSON-RPC, OpenAPI, and MCP scan areas Modern deployments use JSON-RPC as the primary protocol with REST/OpenAPI and MCP as additional interfaces. Reorder scan priorities: JSON-RPC processing and OpenAPI/MCP modules are now items 1-2. Fixed incorrect JSON file paths (modules/json/, not modules/kernel/.../json/). Added missing modules: mcp-bridge, openapi, field filtering, enhanced HTTP/2 JSON variants. XML/WSDL processing moved to item 5 as secondary. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> --- AGENTS.md | 102 ++++++++++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 70 insertions(+), 32 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index bcd75ca84b..318272d018 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -7,15 +7,61 @@ See [SECURITY.md](SECURITY.md) for the full threat model, including: - Project description and architecture - Roles and trust levels (server admin, service deployer, authenticated/anonymous client) - Security boundaries: what is and is not a security issue -- Attack surface by component (XML parsers, WSDL imports, JSON, deserialization, file uploads, hot-deployment) +- Attack surface by component (JSON-RPC, REST/OpenAPI, XML/WSDL, deserialization, file uploads) - CVE history and lessons learned (deserialization, XXE/SSRF, dependency CVEs) - Existing hardening measures ## High-Priority Scan Areas -Based on Axis2's CVE history, the following areas deserve the most scrutiny: +Modern Axis2/Java deployments serve **JSON-RPC over HTTP/HTTPS** as +the primary protocol, with REST/OpenAPI and MCP as additional +interfaces. The scan should weight accordingly: JSON processing, +JSON-RPC dispatch, and the OpenAPI/MCP modules are the primary attack +surface. SOAP/XML and WSDL processing are secondary. -### 1. Deserialization (historically most severe) +### 1. JSON-RPC Processing (primary production protocol) + +JSON-RPC is the primary protocol for production deployments. The JSON +module provides two serialization backends (Gson, Moshi) with enhanced +HTTP/2 variants, JSON-RPC message receivers that dispatch method calls +to service operations, field filtering, pagination, streaming +formatters, and structured error responses. Scan for: +- Method name injection in JSON-RPC dispatch +- Deep nesting / stack exhaustion (CVE-2024-57699 pattern) +- Type confusion in JSON-to-Java object mapping +- Large payload resource exhaustion +- Reflection-based field filtering bypass (`FieldFilteringMessageFormatter`) + +Key files: +- `modules/json/src/org/apache/axis2/json/gson/rpc/JsonRpcMessageReceiver.java` (Gson JSON-RPC dispatch) +- `modules/json/src/org/apache/axis2/json/moshi/rpc/JsonRpcMessageReceiver.java` (Moshi JSON-RPC dispatch) +- `modules/json/src/org/apache/axis2/json/gson/rpc/JsonUtils.java` (Gson JSON-RPC utilities) +- `modules/json/src/org/apache/axis2/json/moshi/rpc/JsonUtils.java` (Moshi JSON-RPC utilities) +- `modules/json/src/org/apache/axis2/json/streaming/FieldFilteringMessageFormatter.java` (field selection) +- `modules/json/src/org/apache/axis2/json/rpc/JsonRpcFaultException.java` (error responses) +- `modules/json/src/org/apache/axis2/json/gsonh2/` (enhanced Gson for HTTP/2) +- `modules/json/src/org/apache/axis2/json/moshih2/` (enhanced Moshi for HTTP/2) +- `modules/kernel/src/org/apache/axis2/dispatchers/JSONBasedDefaultDispatcher.java` + +### 2. OpenAPI and MCP Modules (new attack surface) + +The OpenAPI module auto-generates API schemas and Swagger UI from +deployed services. The MCP module generates tool catalogs for AI +agents. Both expose service metadata and accept configuration that +could be manipulated. Scan for: +- Information disclosure via schema generation (internal class names, field types) +- XSS in Swagger UI handler +- Input validation in MCP tool invocation bridge +- SSRF via MCP stdio bridge connecting to Axis2 endpoints + +Key files: +- `modules/openapi/src/main/java/org/apache/axis2/openapi/OpenApiSpecGenerator.java` +- `modules/openapi/src/main/java/org/apache/axis2/openapi/SwaggerUIHandler.java` +- `modules/openapi/src/main/java/org/apache/axis2/openapi/OpenApiModule.java` +- `modules/mcp-bridge/src/main/java/org/apache/axis2/mcp/bridge/McpStdioServer.java` +- `modules/mcp-bridge/src/main/java/org/apache/axis2/mcp/bridge/ToolRegistry.java` + +### 3. Deserialization (historically most severe) The clustering module was removed due to unvalidated `ObjectInputStream` deserialization on network input. Scan for any remaining paths where @@ -27,12 +73,24 @@ bypassable. Key files: - `modules/kernel/src/org/apache/axis2/context/externalize/SafeObjectInputStream.java` -### 2. XML Parsing (XXE/SSRF via third-party libraries) +### 4. HTTP Transport Entry Points + +The HTTP transport is the network entry point for all protocols +(JSON-RPC, REST, SOAP). Scan for header injection, request smuggling, +and URI parsing issues. + +Key files: +- `modules/transport/http/src/main/java/org/apache/axis2/transport/http/AxisServlet.java` +- `modules/transport/http/src/main/java/org/apache/axis2/transport/http/HTTPWorker.java` + +### 5. XML Parsing (XXE/SSRF via third-party libraries, secondary) wsdl4j and xmlschema-core create their own XML parser factories without XXE hardening. Axis2 wraps these with `SecureWSDLLocator` and hardened URI resolvers. Scan for any XML parsing path — especially through -transitive dependencies — that bypasses this wrapping. +transitive dependencies — that bypasses this wrapping. Note: modern +deployments primarily use JSON-RPC, making WSDL processing a secondary +concern triggered mainly by `?wsdl` metadata requests. Key files: - `modules/kernel/src/org/apache/axis2/util/SecureWSDLLocator.java` @@ -43,20 +101,7 @@ Key files: - `modules/kernel/src/org/apache/axis2/deployment/resolver/AARBasedWSDLLocator.java` - `modules/kernel/src/org/apache/axis2/deployment/resolver/WarBasedWSDLLocator.java` -### 3. JSON Processing - -JSON-RPC is the primary protocol for production deployments. Scan the -JSON message builder and dispatcher for: -- Deep nesting / stack exhaustion (CVE-2024-57699 pattern) -- Method name injection in JSON-RPC dispatch -- Type confusion in JSON-to-Java object mapping -- Large payload resource exhaustion - -Key files: -- `modules/kernel/src/org/apache/axis2/json/` (JSON builders and formatters) -- `modules/kernel/src/org/apache/axis2/dispatchers/` (JSON-based dispatcher) - -### 4. Multipart/File Upload +### 6. Multipart/File Upload Migrated from commons-fileupload 1.x to commons-fileupload2 for CVE-2023-24998. Verify the migration is complete and no legacy code @@ -66,7 +111,7 @@ Key files: - `modules/kernel/src/org/apache/axis2/builder/MultipartFormDataBuilder.java` - `modules/webapp/src/main/java/org/apache/axis2/webapp/AdminActions.java` -### 5. Admin Console (webapp) +### 7. Admin Console (webapp) The admin console has a history of web vulnerabilities (CVE-2010-3981: CSRF/XSS). Scan for common web security issues including authentication, @@ -76,25 +121,19 @@ Key files: - `modules/webapp/src/main/java/org/apache/axis2/webapp/` - `modules/webapp/src/main/webapp/axis2-web/` -### 6. HTTP Transport Entry Points - -The HTTP transport is the primary attack surface. Scan for header -injection, request smuggling, and URI parsing issues. - -Key files: -- `modules/transport/http/src/main/java/org/apache/axis2/transport/http/AxisServlet.java` -- `modules/transport/http/src/main/java/org/apache/axis2/transport/http/HTTPWorker.java` - ## Project Structure ``` modules/ + json/ JSON processing: Gson, Moshi, HTTP/2 enhanced variants, + JSON-RPC receivers, field filtering, pagination, streaming kernel/ Core engine: message pipeline, handlers, deployment, - XML parsing, dispatchers, context, JSON processing + XML parsing, dispatchers, context transport/ Pluggable transports: HTTP, local, JMS, TCP, UDP, mail + openapi/ OpenAPI schema generation, Swagger UI, MCP catalog + mcp-bridge/ MCP stdio bridge for AI agent integration webapp/ Admin console WAR addressing/ WS-Addressing module - openapi/ OpenAPI + Swagger UI + MCP catalog generation fuzz/ Jazzer fuzz targets (XML, JSON, HTTP headers, URLs) samples/ Sample services including Spring Boot deployments systests/ Integration tests @@ -104,7 +143,6 @@ systests/ Integration tests Fuzz targets exist in `modules/fuzz/` covering XML, JSON, HTTP header, and URL parsers. See `src/site/xdoc/docs/OSS-FUZZ.md` for details. -Axis2/C has an active Google OSS-Fuzz integration. ## Reporting
