[jira] [Resolved] (NIFI-4202) Add setRequestHeaderSize to restrict incoming request headers

Wed, 16 Mar 2022 17:46:04 -0700 


     [ 
https://issues.apache.org/jira/browse/NIFI-4202?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

David Handermann resolved NIFI-4202.
------------------------------------
    Fix Version/s: 1.5.0
         Assignee: Matt Burgess  (was: David Handermann)
       Resolution: Fixed

> Add setRequestHeaderSize to restrict incoming request headers
> -------------------------------------------------------------
>
>                 Key: NIFI-4202
>                 URL: https://issues.apache.org/jira/browse/NIFI-4202
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 1.3.0, 0.7.4
>            Reporter: Andy LoPresto
>            Assignee: Matt Burgess
>            Priority: Major
>              Labels: http, jetty, security
>             Fix For: 1.5.0
>
>         Attachments: Screen Shot 2017-07-18 at 1.02.52 PM.png, Screen Shot 
> 2017-07-18 at 1.02.56 PM.png, Screen Shot 2017-07-18 at 12.56.58 PM.png, 
> Screen Shot 2017-07-18 at 12.57.08 PM.png
>
>
> As reported on the mailing list, when NiFi is running in unsecured mode 
> (HTTP), a request can be intercepted (or simply be a malicious request from 
> origin) and have a large request header injected, which can result in Jetty 
> throwing an {{OutOfMemoryError}}. 
> This was reported with reference to the {{NCM}}, which indicates a {{0.x}} 
> release. Normal HTTP requests to the API will fail with HTTP response {{413}} 
> - {{Request Entity Too Large}}. Further investigation is needed as this may 
> only be related to cluster operations. 
> The {{setRequestHeaderSize}} method [1] should allow for prevention of this 
> issue. 
> (IP address redacted)
> {code}
> 2017-03-07 03:44:03,522 WARN [NiFi Web Server-22]
> o.a.n.c.m.impl.HttpRequestReplicatorImpl Node request for
> [id=99a65e79-b856-4e43-9056-1451714498fc, apiAddress=w.x.y.z,
> apiPort=38484, socketAddress=w.x.y.z, socketPort=39494,
> siteToSiteAddress=w.x.y.z, siteToSitePort=null] encountered
> exception: java.util.concurrent.ExecutionException:
> java.lang.OutOfMemoryError: Java heap space
> {code}
> [1] 
> http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/server/HttpConfiguration.html#setRequestHeaderSize-int-



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to