RE: Re: controlling the max form size to protect against DoS attacks
For anyone else who comes across this later, the solution was as Thierry
suggested, however, we needed to use a custom BoundedInputStream which would
throw a ResourceException when the max length was exceeded.
Filter filter = new Filter(getContext(), router) {
@Override
protected int beforeHandle(Request request, Response response) {
Series params = (Series)
request.getAttributes().get("org.restlet.http.headers");
long length = HeaderUtils.getContentLength(params);
if (length != Representation.UNKNOWN_SIZE && length > MAX_CONTENTS_LENGTH) {
// TODO: report your error here
return STOP;
}
if (request.isEntityAvailable()) {
request.setEntity(new WrapperRepresentation(request.getEntity()) {
@Override
public InputStream getStream() throws IOException {
InputStream result = super.getStream();
if (result != null) {
result = new BoundedInputStream(result, MAX_CONTENTS_LENGTH); //
TODO: this is our implementation which throws ResourceException when limit is
exceeded
}
return result;
}
@Override
public String getText() throws IOException {
return BioUtils.toString(getStream(), getCharacterSet());
}
});
}
return super.beforeHandle(request, response);
}
};
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3031171
RE: Re: controlling the max form size to protect against DoS attacks
Thanks, we'll give that a try. Silently preventing reading the extra bytes will be an issue for us, but perhaps we can just roll our own so that an error is returned. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3030884
Re: controlling the max form size to protect against DoS attacks
Hello Shaun,
I've entered a new issue for that:
https://github.com/restlet/restlet-framework-java/issues/687.
It is related to this one:
https://github.com/restlet/restlet-framework-java/issues/67
I think that the idea is to wrap the stream of the Representation in order
to count the number of read bytes.
You can for example use a Filter set up in front of the root Restlet of the
Restlet based application
This sample code leverages the BoundedInputStream class (of
org.apache.commons.io), which silently (which may not be convenient for
you) prevent from reading extra bytes.
@Override
public Restlet createInboundRoot() {
Router router = new Router(getContext());
[... definition of the router]
// filter the root router.
Filter filter = new Filter(getContext(), router) {
@Override
protected int beforeHandle(Request request, Response response) {
if (request.isEntityAvailable()) {
request.setEntity(new
WrapperRepresentation(request.getEntity()) {
public InputStream getStream() throws IOException {
InputStream result = super.getStream();
if (result != null) {
result = new BoundedInputStream(result, 2);
}
return result;
};
public String getText() throws IOException {
return BioUtils.toString(getStream(),
getCharacterSet());
};
});
}
return super.beforeHandle(request, response);
}
};
return filter;
}
I'm not sure it will be easy to inherit from httpServerHelper, adn I'm not
sure the property "maxFormContentSize" can be used in this context.
Best regards,
Thierry Boileau
Hi,
>
> Does Restlet expose a way to reject incoming requests which are too large?
> We are using Restlet on Jetty, and Jetty exposes this feature via the
> maxFormContentSize property (
> http://wiki.eclipse.org/Jetty/Howto/Configure_Form_Size), but I cant find
> a way to set this through Restlet.
>
> Do I have to create an extension to HttpServerHelper that overrides
> configure() to do this?
>
> --
>
> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3029864
>
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3030179
controlling the max form size to protect against DoS attacks
Hi, Does Restlet expose a way to reject incoming requests which are too large? We are using Restlet on Jetty, and Jetty exposes this feature via the maxFormContentSize property (http://wiki.eclipse.org/Jetty/Howto/Configure_Form_Size), but I cant find a way to set this through Restlet. Do I have to create an extension to HttpServerHelper that overrides configure() to do this? -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3029864
