[
https://issues.apache.org/jira/browse/NIFI-14209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17924235#comment-17924235
]
ASF subversion and git services commented on NIFI-14209:
--------------------------------------------------------
Commit ae5a77b84f5c7e5e51e85e99f1d40079dbdee5f1 in nifi's branch
refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=ae5a77b84f ]
NIFI-14209 Restructured Host Header Validation (#9680)
- Replaced HostHeaderHandler with HostPortValidatorCustomizer
- Jetty SecureRequestCustomizer enforces host validation for SNI with Server
Certificate DNS Subject Alternative Names
- Added tests for TLS SNI with invalid host and port values
- Refactored and streamlined RequestUriBuilder.fromHttpServletRequest()
> NullPointerException in HostHeaderHandler for Invalid Host Values
> -----------------------------------------------------------------
>
> Key: NIFI-14209
> URL: https://issues.apache.org/jira/browse/NIFI-14209
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 2.2.0
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Minor
> Time Spent: 20m
> Remaining Estimate: 0h
>
> The {{HostHeaderHandler}} in the framework Jetty Server provides input
> validation for the HTTP {{Host}} Header, verifying that it matches an allowed
> value based on machine addresses and configured proxy host properties.
> Jetty 12 implements Host header checking as part of TLS Server Name
> Indication processing, returning an HTTP 400 response when the Host header
> does not match a server address and a Subject Alternative Name on the server
> certificate. In cases where the server certificate has a valid SAN, but the
> SAN address is not the same as the machine address or configured as an
> allowed proxy host, the {{HostHeaderHandler}} attempts to return an error
> message to the HTTP client, but throws a {{NullPointerException}} for the
> response stream.
> The {{HostHeaderHandler}} implementation should be revisited in light of
> Jetty 12 TLS Server Name Indication behavior to ensure the configuration
> aligns. With Jetty 12 requiring a Subject Alternative Name for the server
> certificate, the {{HostHeaderHandler}} may no longer need to perform the same
> functions, and the nifi.web.proxy.host property may be an unnecessary check
> for addresses listed on the server certificate.
> {noformat}
> WARN [NiFi Web Server-51] o.a.nifi.web.server.HostHeaderHandler Request URI
> [https://cube-1/] Host Header [cube-1] not valid
> WARN [NiFi Web Server-51] org.eclipse.jetty.server.Response writeError:
> status=500, message=java.lang.NullPointerException: Cannot invoke
> "java.io.PrintWriter.println(String)" because "out" is null,
> response=ErrorResponse@7c3989e8{500,GET@33bab0c9 https://localhost/ HTTP/2.0}
> java.lang.NullPointerException: Cannot invoke
> "java.io.PrintWriter.println(String)" because "out" is null
> at
> org.apache.nifi.web.server.HostHeaderHandler.handle(HostHeaderHandler.java:192)
> at org.eclipse.jetty.server.Handler$Sequence.handle(Handler.java:805)
> at org.eclipse.jetty.server.Server.handle(Server.java:182)
> at
> org.eclipse.jetty.server.internal.HttpChannelState$HandlerInvoker.run(HttpChannelState.java:662)
> at
> org.eclipse.jetty.util.thread.Invocable$ReadyTask.run(Invocable.java:175)
> at
> org.eclipse.jetty.http2.server.internal.HttpStreamOverHTTP2$1.run(HttpStreamOverHTTP2.java:135)
> at
> org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:480)
> at
> org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:443)
> at
> org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:293)
> at
> org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.produce(AdaptiveExecutionStrategy.java:195)
> at
> org.eclipse.jetty.http2.HTTP2Connection.produce(HTTP2Connection.java:209)
> at
> org.eclipse.jetty.http2.server.internal.HTTP2ServerConnection.onOpen(HTTP2ServerConnection.java:116)
> at
> org.eclipse.jetty.io.AbstractEndPoint.upgrade(AbstractEndPoint.java:435)
> at
> org.eclipse.jetty.server.NegotiatingServerConnection.onFillable(NegotiatingServerConnection.java:125)
> at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:322)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99)
> at
> org.eclipse.jetty.io.ssl.SslConnection$SslEndPoint.onFillable(SslConnection.java:575)
> at
> org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:390)
> at
> org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:150)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99)
> at
> org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:979)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1209)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1164)
> at java.base/java.lang.Thread.run(Thread.java:1583)
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
