[NIFI-4202] Add setRequestHeaderSize to restrict incoming request headers - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.3.0, 0.7.4
Fix Version/s: 1.5.0
Component/s: Core Framework
Labels:
- http
- jetty
- security

Description

As reported on the mailing list, when NiFi is running in unsecured mode (HTTP), a request can be intercepted (or simply be a malicious request from origin) and have a large request header injected, which can result in Jetty throwing an OutOfMemoryError.

This was reported with reference to the NCM, which indicates a 0.x release. Normal HTTP requests to the API will fail with HTTP response 413 - Request Entity Too Large. Further investigation is needed as this may only be related to cluster operations.

The setRequestHeaderSize method [1] should allow for prevention of this issue.

(IP address redacted)

2017-03-07 03:44:03,522 WARN [NiFi Web Server-22]
o.a.n.c.m.impl.HttpRequestReplicatorImpl Node request for
[id=99a65e79-b856-4e43-9056-1451714498fc, apiAddress=w.x.y.z,
apiPort=38484, socketAddress=w.x.y.z, socketPort=39494,
siteToSiteAddress=w.x.y.z, siteToSitePort=null] encountered
exception: java.util.concurrent.ExecutionException:
java.lang.OutOfMemoryError: Java heap space

[1] http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/server/HttpConfiguration.html#setRequestHeaderSize-int-