Andy LoPresto created NIFI-4202:
-----------------------------------
Summary: Add setRequestHeaderSize to restrict incoming request
headers
Key: NIFI-4202
URL: https://issues.apache.org/jira/browse/NIFI-4202
Project: Apache NiFi
Issue Type: Improvement
Components: Core Framework
Affects Versions: 0.7.4, 1.3.0
Reporter: Andy LoPresto
As reported on the mailing list, when NiFi is running in unsecured mode (HTTP),
a request can be intercepted (or simply be a malicious request from origin) and
have a large request header injected, which can result in Jetty throwing an
{{OutOfMemoryError}}.
This was reported with reference to the {{NCM}}, which indicates a {{0.x}}
release. Normal HTTP requests to the API will fail with HTTP response {{413}} -
{{Request Entity Too Large}}. Further investigation is needed as this may only
be related to cluster operations.
The {{setRequestHeaderSize}} method [1] should allow for prevention of this
issue.
(IP address redacted)
{code}
2017-03-07 03:44:03,522 WARN [NiFi Web Server-22]
o.a.n.c.m.impl.HttpRequestReplicatorImpl Node request for
[id=99a65e79-b856-4e43-9056-1451714498fc, apiAddress=w.x.y.z,
apiPort=38484, socketAddress=w.x.y.z, socketPort=39494,
siteToSiteAddress=w.x.y.z, siteToSitePort=null] encountered
exception: java.util.concurrent.ExecutionException:
java.lang.OutOfMemoryError: Java heap space
{code}
[1]
http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/server/HttpConfiguration.html#setRequestHeaderSize-int-
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
