Merge pull request quarkusio#36544 from cescoffier/vertx-4.4.6

Update Vert.x version to 4.4.6

bom/application/pom.xml

@@ -62,7 +62,7 @@
         <smallrye-context-propagation.version>2.1.0</smallrye-context-propagation.version>
         <smallrye-reactive-streams-operators.version>1.0.13</smallrye-reactive-streams-operators.version>
         <smallrye-reactive-types-converter.version>3.0.1</smallrye-reactive-types-converter.version>
-        <smallrye-mutiny-vertx-binding.version>3.6.0</smallrye-mutiny-vertx-binding.version>
+        <smallrye-mutiny-vertx-binding.version>3.7.2</smallrye-mutiny-vertx-binding.version>
         <smallrye-reactive-messaging.version>4.10.1</smallrye-reactive-messaging.version>
         <smallrye-stork.version>2.3.1</smallrye-stork.version>
         <jakarta.activation.version>2.1.2</jakarta.activation.version>
@@ -120,7 +120,7 @@
         <wildfly-client-config.version>1.0.1.Final</wildfly-client-config.version>
         <wildfly-elytron.version>2.2.2.Final</wildfly-elytron.version>
         <jboss-threads.version>3.5.0.Final</jboss-threads.version>
-        <vertx.version>4.4.5</vertx.version>
+        <vertx.version>4.4.6</vertx.version>
         <httpclient.version>4.5.14</httpclient.version>
         <httpcore.version>4.4.16</httpcore.version>
         <httpasync.version>4.1.5</httpasync.version>

docs/src/main/asciidoc/resteasy-reactive.adoc

@@ -16,7 +16,7 @@ include::_attributes.adoc[]
 :httpspec: https://tools.ietf.org/html/rfc7231
 :jsonpapi: https://javadoc.io/doc/jakarta.json/jakarta.json-api/2.1.2/jakarta.json
 :injectapi: https://javadoc.io/static/jakarta.inject/jakarta.inject-api/2.0.1/jakarta.inject
-:vertxapi: https://javadoc.io/static/io.vertx/vertx-core/4.4.5
+:vertxapi: https://javadoc.io/static/io.vertx/vertx-core/4.4.6
 :resteasy-reactive-api: https://javadoc.io/doc/io.quarkus.resteasy.reactive/resteasy-reactive/{quarkus-version}
 :resteasy-reactive-common-api: https://javadoc.io/doc/io.quarkus.resteasy.reactive/resteasy-reactive-common/{quarkus-version}
 

extensions/reactive-pg-client/deployment/src/test/java/io/quarkus/reactive/pg/client/MoneyTest.java

@@ -0,0 +1,26 @@
+package io.quarkus.reactive.pg.client;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.math.BigDecimal;
+
+import org.junit.jupiter.api.Test;
+
+import io.vertx.pgclient.data.Money;
+
+/**
+ * Reproduce <a href="https://github.com/quarkusio/quarkus/issues/36144">PG Reactive Client: Cannot create Money value in Range
+ * (-1.00, 0.00)</a>.
+ */
+public class MoneyTest {
+
+    @Test
+    void testMoney() {
+        Money money = new Money(new BigDecimal("-1.11"));
+        assertEquals(BigDecimal.valueOf(-1.11), money.bigDecimalValue());
+
+        money = new Money(new BigDecimal("-0.11"));
+        assertEquals(BigDecimal.valueOf(-0.11), money.bigDecimalValue());
+    }
+
+}

extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/EmptyHostTest.java

@@ -0,0 +1,46 @@
+package io.quarkus.vertx.http;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.enterprise.event.Observes;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusUnitTest;
+import io.restassured.RestAssured;
+import io.vertx.ext.web.Router;
+
+/**
+ * Reproduce <a href="https://github.com/quarkusio/quarkus/issues/36234">NullPointerException for request with empty Host
+ * header</a>.
+ */
+public class EmptyHostTest {
+
+    @RegisterExtension
+    static final QuarkusUnitTest config = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addClasses(BeanRegisteringRouteUsingObserves.class));
+
+    @Test
+    public void testWithEmptyHost() {
+        assertEquals(RestAssured
+                .given()
+                .header("Host", "")
+                .get("/hello")
+                .asString(), "Hello World! ");
+
+    }
+
+    @ApplicationScoped
+    static class BeanRegisteringRouteUsingObserves {
+
+        public void register(@Observes Router router) {
+
+            router.route("/hello").handler(ctx -> ctx.response().end("Hello World! " + ctx.request().host()));
+        }
+
+    }
+
+}

extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/http2/Http2RSTFloodProtectionConfigTest.java

@@ -0,0 +1,105 @@
+package io.quarkus.vertx.http.http2;
+
+import static io.vertx.core.http.HttpMethod.GET;
+import static org.junit.jupiter.api.Assertions.fail;
+
+import java.io.File;
+import java.net.URL;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.TimeUnit;
+
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.enterprise.event.Observes;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Assumptions;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusUnitTest;
+import io.quarkus.test.common.http.TestHTTPResource;
+import io.quarkus.vertx.core.runtime.VertxCoreRecorder;
+import io.vertx.core.http.HttpClient;
+import io.vertx.core.http.HttpClientOptions;
+import io.vertx.core.http.HttpClientRequest;
+import io.vertx.core.http.HttpVersion;
+import io.vertx.core.net.JdkSSLEngineOptions;
+import io.vertx.ext.web.Router;
+
+/**
+ * Configuration of the RST flood protection (CVE-2023-44487)
+ */
+public class Http2RSTFloodProtectionConfigTest {
+
+    @TestHTTPResource(value = "/ping", ssl = true)
+    URL sslUrl;
+
+    @TestHTTPResource(value = "/ping")
+    URL url;
+
+    @RegisterExtension
+    static final QuarkusUnitTest config = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addClasses(MyBean.class)
+                    .addAsResource(new File("src/test/resources/conf/ssl-jks-rst-flood-protection.conf"),
+                            "application.properties")
+                    .addAsResource(new File("src/test/resources/conf/server-keystore.jks"), "server-keystore.jks"));
+
+    @Test
+    void testRstFloodProtectionWithTlsEnabled() throws Exception {
+        Assumptions.assumeTrue(JdkSSLEngineOptions.isAlpnAvailable()); //don't run on JDK8
+        HttpClientOptions options = new HttpClientOptions()
+                .setUseAlpn(true)
+                .setProtocolVersion(HttpVersion.HTTP_2)
+                .setSsl(true)
+                .setTrustAll(true);
+
+        var client = VertxCoreRecorder.getVertx().get().createHttpClient(options);
+        int port = sslUrl.getPort();
+        run(client, port, false);
+    }
+
+    @Test
+    public void testRstFloodProtection() throws InterruptedException {
+        HttpClientOptions options = new HttpClientOptions()
+                .setProtocolVersion(HttpVersion.HTTP_2)
+                .setHttp2ClearTextUpgrade(true);
+        var client = VertxCoreRecorder.getVertx().get().createHttpClient(options);
+        run(client, url.getPort(), true);
+    }
+
+    void run(HttpClient client, int port, boolean plain) throws InterruptedException {
+        CountDownLatch latch = new CountDownLatch(1);
+        client.connectionHandler(conn -> conn.goAwayHandler(ga -> {
+            Assertions.assertEquals(11, ga.getErrorCode());
+            latch.countDown();
+        }));
+
+        if (plain) {
+            // Emit a first request to establish a connection.
+            // It's HTTP/1 so, does not count in the number of requests.
+            client.request(GET, port, "localhost", "/ping")
+                    .compose(HttpClientRequest::send);
+        }
+
+        for (int i = 0; i < 20; i++) {
+            client.request(GET, port, "localhost", "/ping")
+                    .onSuccess(req -> req.end().onComplete(v -> req.reset()));
+        }
+
+        if (!latch.await(10, TimeUnit.SECONDS)) {
+            fail("RST flood protection failed");
+        }
+    }
+
+    @ApplicationScoped
+    public static class MyBean {
+
+        public void register(@Observes Router router) {
+            router.get("/ping").handler(rc -> {
+                // Do nothing.
+            });
+        }
+
+    }
+}

extensions/vertx-http/deployment/src/test/resources/conf/ssl-jks-rst-flood-protection.conf

@@ -0,0 +1,6 @@
+
+quarkus.http.ssl.certificate.key-store-file=server-keystore.jks
+quarkus.http.ssl.certificate.key-store-password=secret
+
+ quarkus.http.limits.rst-flood-max-rst-frame-per-window=10
+ quarkus.http.limits.rst-flood-window-duration=10s

extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/ServerLimitsConfig.java

@@ -1,5 +1,6 @@
 package io.quarkus.vertx.http.runtime;
 
+import java.time.Duration;
 import java.util.Optional;
 import java.util.OptionalInt;
 import java.util.OptionalLong;
@@ -86,4 +87,20 @@ public class ServerLimitsConfig {
     @ConfigItem
     public OptionalLong maxHeaderListSize;
 
+    /**
+     * Set the max number of RST frame allowed per time window, this is used to prevent
+     * <a href="https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p">HTTP/2 RST frame flood DDOS
+     * attacks</a>. The default value is {@code 200}, setting zero or a negative value, disables flood protection.
+     */
+    @ConfigItem
+    public OptionalInt rstFloodMaxRstFramePerWindow;
+
+    /**
+     * Set the duration of the time window when checking the max number of RST frames, this is used to prevent
+     * <a href="https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p">HTTP/2 RST frame flood DDOS
+     * attacks</a>.. The default value is {@code 30 s}, setting zero or a negative value, disables flood protection.
+     */
+    @ConfigItem
+    public Optional<Duration> rstFloodWindowDuration;
+
 }

extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/options/HttpServerOptionsUtils.java

@@ -275,6 +275,18 @@ public static void applyCommonOptions(HttpServerOptions httpServerOptions,
                 settings.setMaxHeaderListSize(httpConfiguration.limits.maxHeaderListSize.getAsLong());
             }
             httpServerOptions.setInitialSettings(settings);
+
+            // RST attack protection - https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p
+            if (httpConfiguration.limits.rstFloodMaxRstFramePerWindow.isPresent()) {
+                httpServerOptions
+                        .setHttp2RstFloodMaxRstFramePerWindow(httpConfiguration.limits.rstFloodMaxRstFramePerWindow.getAsInt());
+            }
+            if (httpConfiguration.limits.rstFloodWindowDuration.isPresent()) {
+                httpServerOptions.setHttp2RstFloodWindowDuration(
+                        (int) httpConfiguration.limits.rstFloodWindowDuration.get().toSeconds());
+                httpServerOptions.setHttp2RstFloodWindowDurationTimeUnit(TimeUnit.SECONDS);
+            }
+
         }
 
         httpServerOptions.setUseProxyProtocol(httpConfiguration.proxy.useProxyProtocol);

independent-projects/resteasy-reactive/pom.xml

@@ -63,7 +63,7 @@
         <version.surefire.plugin>3.1.2</version.surefire.plugin>
         <mutiny.version>2.5.1</mutiny.version>
         <smallrye-common.version>2.1.2</smallrye-common.version>
-        <vertx.version>4.4.5</vertx.version>
+        <vertx.version>4.4.6</vertx.version>
         <rest-assured.version>5.3.2</rest-assured.version>
         <commons-logging-jboss-logging.version>1.0.0.Final</commons-logging-jboss-logging.version>
         <jackson-bom.version>2.15.2</jackson-bom.version>