[
https://issues.apache.org/jira/browse/NIFI-5374?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16532128#comment-16532128
]
Andy LoPresto commented on NIFI-5374:
-------------------------------------
My only other comment is that when a malicious user attempts to send many
malformed requests, the application log can grow quickly because the complete
stacktrace is present every time. The complete malicious string is also not
logged. Perhaps this will need to be addressed in the future, but this patch
fixes the disclosure of stacktraces via the HTTP response.
{code}
2018-07-03 18:12:41,852 ERROR [NiFi Web Server-23]
o.apache.nifi.web.filter.ExceptionFilter Exception caught by ExceptionFilter:
org.springframework.security.web.firewall.RequestRejectedException: The request
was rejected because the URL contained a potentially malicious String ";"
at
org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:140)
at
org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:120)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:193)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)
at org.apache.nifi.web.filter.TimerFilter.doFilter(TimerFilter.java:51)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)
at
org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:48)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1613)
at
org.apache.nifi.web.server.JettyServer$2.doFilter(JettyServer.java:1042)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:541)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190)
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1593)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1239)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)
at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:481)
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1562)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1141)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:118)
at
org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:561)
at
org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.Server.handle(Server.java:564)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320)
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
at
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)
at
org.eclipse.jetty.util.thread.Invocable.invokePreferred(Invocable.java:122)
at
org.eclipse.jetty.util.thread.strategy.ExecutingExecutionStrategy.invoke(ExecutingExecutionStrategy.java:58)
at
org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:201)
at
org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:133)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:672)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:590)
at java.lang.Thread.run(Thread.java:745)
{code}
> Suppress stacktrace being returned to remote client when using NiFi REST API
> ----------------------------------------------------------------------------
>
> Key: NIFI-5374
> URL: https://issues.apache.org/jira/browse/NIFI-5374
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Affects Versions: 1.7.0
> Reporter: Nathan Gough
> Assignee: Nathan Gough
> Priority: Minor
> Labels: filter, stacktrace, suppress
> Attachments: image001.png
>
>
> When a remote user attempts to use an endpoint with a malicious string, Jetty
> will return a full stacktrace of the error. This provides the remote user
> with excess information that can be used when attempting to manipulate a
> system.
> !image001.png!
> This stacktrace should be logged only to the nifi-app.log and the stacktrace
> suppressed before returning a 500 error to the user.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
