You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@guacamole.apache.org by GitBox <gi...@apache.org> on 2021/02/24 21:02:32 UTC
[GitHub] [guacamole-client] mike-jumper opened a new pull request #595: GUACAMOLE-1298: Automatically limit HTTP request size.
mike-jumper opened a new pull request #595:
URL: https://github.com/apache/guacamole-client/pull/595
This change adds a new configuration property, `api-max-request-size`, which defines the maximum size allowed for REST requests. The property can be set to "0" to remove all limits. By default, the bodies of REST requests will be limited to 2 MB (2097152 bytes).
If a REST method should _never_ be limited (regardless of `api-max-request-size`), it can be annotated with `@RequestSizeFilter.DoNotLimit`. This should only be done for requests that are processed as streams, such as the handler for inbound file transfers (the only location where this annotation is currently used).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-client] necouchman commented on a change in pull request #595: GUACAMOLE-1298: Automatically limit HTTP request size.
Posted by GitBox <gi...@apache.org>.
necouchman commented on a change in pull request #595:
URL: https://github.com/apache/guacamole-client/pull/595#discussion_r582926223
##########
File path: guacamole/src/main/java/org/apache/guacamole/rest/RequestSizeFilter.java
##########
@@ -0,0 +1,108 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.rest;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import javax.inject.Inject;
+import javax.inject.Singleton;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.container.ResourceInfo;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.ext.Provider;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.environment.Environment;
+import org.apache.guacamole.properties.LongGuacamoleProperty;
+
+/**
+ * Filter which restricts REST API requests to a particular maximum size.
+ */
+@Singleton
+@Provider
+public class RequestSizeFilter implements ContainerRequestFilter {
+
+ /**
+ * Informs the RequestSizeFilter to NOT enforce its request size limits on
+ * requests serviced by the annotated method.
+ */
+ @Retention(RetentionPolicy.RUNTIME)
+ @Target(ElementType.METHOD)
+ public static @interface DoNotLimit {}
+
+ /**
+ * The default maximum number of bytes to accept within the entity body of
+ * any particular REST request.
+ */
+ private final long DEFAULT_MAX_REQUEST_SIZE = 2097152;
Review comment:
Is there a reason why this size was chosen? I've not issue with it, just curious as to the rationale.
##########
File path: guacamole/src/main/java/org/apache/guacamole/GuacamoleServletContextListener.java
##########
@@ -78,33 +121,47 @@ public void contextInitialized(ServletContextEvent servletContextEvent) {
throw new RuntimeException(e);
}
+ // NOTE: The superclass implementation of contextInitialized() is
+ // expected invoke getInjector(), hence the need to call AFTER setting
Review comment:
*to invoke
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-client] necouchman commented on a change in pull request #595: GUACAMOLE-1298: Automatically limit HTTP request size.
Posted by GitBox <gi...@apache.org>.
necouchman commented on a change in pull request #595:
URL: https://github.com/apache/guacamole-client/pull/595#discussion_r583300239
##########
File path: guacamole/src/main/java/org/apache/guacamole/rest/RequestSizeFilter.java
##########
@@ -0,0 +1,108 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.rest;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import javax.inject.Inject;
+import javax.inject.Singleton;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.container.ResourceInfo;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.ext.Provider;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.environment.Environment;
+import org.apache.guacamole.properties.LongGuacamoleProperty;
+
+/**
+ * Filter which restricts REST API requests to a particular maximum size.
+ */
+@Singleton
+@Provider
+public class RequestSizeFilter implements ContainerRequestFilter {
+
+ /**
+ * Informs the RequestSizeFilter to NOT enforce its request size limits on
+ * requests serviced by the annotated method.
+ */
+ @Retention(RetentionPolicy.RUNTIME)
+ @Target(ElementType.METHOD)
+ public static @interface DoNotLimit {}
+
+ /**
+ * The default maximum number of bytes to accept within the entity body of
+ * any particular REST request.
+ */
+ private final long DEFAULT_MAX_REQUEST_SIZE = 2097152;
Review comment:
Ah, shoot, sorry about that - missed both those things!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-client] necouchman merged pull request #595: GUACAMOLE-1298: Automatically limit HTTP request size.
Posted by GitBox <gi...@apache.org>.
necouchman merged pull request #595:
URL: https://github.com/apache/guacamole-client/pull/595
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-client] necouchman commented on a change in pull request #595: GUACAMOLE-1298: Automatically limit HTTP request size.
Posted by GitBox <gi...@apache.org>.
necouchman commented on a change in pull request #595:
URL: https://github.com/apache/guacamole-client/pull/595#discussion_r583298556
##########
File path: guacamole/src/main/java/org/apache/guacamole/rest/RequestSizeFilter.java
##########
@@ -0,0 +1,108 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.rest;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import javax.inject.Inject;
+import javax.inject.Singleton;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.container.ResourceInfo;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.ext.Provider;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.environment.Environment;
+import org.apache.guacamole.properties.LongGuacamoleProperty;
+
+/**
+ * Filter which restricts REST API requests to a particular maximum size.
+ */
+@Singleton
+@Provider
+public class RequestSizeFilter implements ContainerRequestFilter {
+
+ /**
+ * Informs the RequestSizeFilter to NOT enforce its request size limits on
+ * requests serviced by the annotated method.
+ */
+ @Retention(RetentionPolicy.RUNTIME)
+ @Target(ElementType.METHOD)
+ public static @interface DoNotLimit {}
+
+ /**
+ * The default maximum number of bytes to accept within the entity body of
+ * any particular REST request.
+ */
+ private final long DEFAULT_MAX_REQUEST_SIZE = 2097152;
Review comment:
Okay. Is this something that is going to be configurable? I think the 1MB limit in Nginx tends to be problematic for large file uploads into Guacamole Client - I suspect this is also going to limit those uploads??
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-client] mike-jumper commented on a change in pull request #595: GUACAMOLE-1298: Automatically limit HTTP request size.
Posted by GitBox <gi...@apache.org>.
mike-jumper commented on a change in pull request #595:
URL: https://github.com/apache/guacamole-client/pull/595#discussion_r583253294
##########
File path: guacamole/src/main/java/org/apache/guacamole/GuacamoleServletContextListener.java
##########
@@ -78,33 +121,47 @@ public void contextInitialized(ServletContextEvent servletContextEvent) {
throw new RuntimeException(e);
}
+ // NOTE: The superclass implementation of contextInitialized() is
+ // expected invoke getInjector(), hence the need to call AFTER setting
Review comment:
Oops. Fixed via rebase.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-client] mike-jumper commented on a change in pull request #595: GUACAMOLE-1298: Automatically limit HTTP request size.
Posted by GitBox <gi...@apache.org>.
mike-jumper commented on a change in pull request #595:
URL: https://github.com/apache/guacamole-client/pull/595#discussion_r583299785
##########
File path: guacamole/src/main/java/org/apache/guacamole/rest/RequestSizeFilter.java
##########
@@ -0,0 +1,108 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.rest;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import javax.inject.Inject;
+import javax.inject.Singleton;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.container.ResourceInfo;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.ext.Provider;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.environment.Environment;
+import org.apache.guacamole.properties.LongGuacamoleProperty;
+
+/**
+ * Filter which restricts REST API requests to a particular maximum size.
+ */
+@Singleton
+@Provider
+public class RequestSizeFilter implements ContainerRequestFilter {
+
+ /**
+ * Informs the RequestSizeFilter to NOT enforce its request size limits on
+ * requests serviced by the annotated method.
+ */
+ @Retention(RetentionPolicy.RUNTIME)
+ @Target(ElementType.METHOD)
+ public static @interface DoNotLimit {}
+
+ /**
+ * The default maximum number of bytes to accept within the entity body of
+ * any particular REST request.
+ */
+ private final long DEFAULT_MAX_REQUEST_SIZE = 2097152;
Review comment:
> Is this something that is going to be configurable?
Yep - with the `api-max-request-size` property that is part of these changes.
> I think the 1MB limit in Nginx tends to be problematic for large file uploads into Guacamole Client - I suspect this is also going to limit those uploads??
Nope, this will specifically not affect uploads, which are annotated with `@RequestSizeFilter.DoNotLimit`. When a user configures their reverse proxy to not limit requests, file uploads of any size will work, while all other requests would still be limited by Guacamole.
(See PR description 😉)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-client] mike-jumper commented on a change in pull request #595: GUACAMOLE-1298: Automatically limit HTTP request size.
Posted by GitBox <gi...@apache.org>.
mike-jumper commented on a change in pull request #595:
URL: https://github.com/apache/guacamole-client/pull/595#discussion_r583252097
##########
File path: guacamole/src/main/java/org/apache/guacamole/rest/RequestSizeFilter.java
##########
@@ -0,0 +1,108 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.rest;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import javax.inject.Inject;
+import javax.inject.Singleton;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.container.ResourceInfo;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.ext.Provider;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.environment.Environment;
+import org.apache.guacamole.properties.LongGuacamoleProperty;
+
+/**
+ * Filter which restricts REST API requests to a particular maximum size.
+ */
+@Singleton
+@Provider
+public class RequestSizeFilter implements ContainerRequestFilter {
+
+ /**
+ * Informs the RequestSizeFilter to NOT enforce its request size limits on
+ * requests serviced by the annotated method.
+ */
+ @Retention(RetentionPolicy.RUNTIME)
+ @Target(ElementType.METHOD)
+ public static @interface DoNotLimit {}
+
+ /**
+ * The default maximum number of bytes to accept within the entity body of
+ * any particular REST request.
+ */
+ private final long DEFAULT_MAX_REQUEST_SIZE = 2097152;
Review comment:
My initial thinking was that something on the order of a few MB would be a reasonable default covering most cases, and my gut suggested 2 MB. I checked against the defaults of similar components, particularly Tomcat, and found that this matched up:
* The default `maxPostSize` of Tomcat's HTTP connector is 2 MB.
* Nginx' default request size limit is 1 MB.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [guacamole-client] necouchman commented on a change in pull request #595: GUACAMOLE-1298: Automatically limit HTTP request size.
Posted by GitBox <gi...@apache.org>.
necouchman commented on a change in pull request #595:
URL: https://github.com/apache/guacamole-client/pull/595#discussion_r583300995
##########
File path: guacamole/src/main/java/org/apache/guacamole/rest/RequestSizeFilter.java
##########
@@ -0,0 +1,108 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.rest;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import javax.inject.Inject;
+import javax.inject.Singleton;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.container.ResourceInfo;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.ext.Provider;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.environment.Environment;
+import org.apache.guacamole.properties.LongGuacamoleProperty;
+
+/**
+ * Filter which restricts REST API requests to a particular maximum size.
+ */
+@Singleton
+@Provider
+public class RequestSizeFilter implements ContainerRequestFilter {
+
+ /**
+ * Informs the RequestSizeFilter to NOT enforce its request size limits on
+ * requests serviced by the annotated method.
+ */
+ @Retention(RetentionPolicy.RUNTIME)
+ @Target(ElementType.METHOD)
+ public static @interface DoNotLimit {}
+
+ /**
+ * The default maximum number of bytes to accept within the entity body of
+ * any particular REST request.
+ */
+ private final long DEFAULT_MAX_REQUEST_SIZE = 2097152;
Review comment:
Wow, just a few lines below this, too - and I even recall reviewing that last time around...
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org