You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2022/03/17 00:46:00 UTC
[jira] [Resolved] (NIFI-4202) Add setRequestHeaderSize to restrict incoming request headers
[ https://issues.apache.org/jira/browse/NIFI-4202?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Handermann resolved NIFI-4202.
------------------------------------
Fix Version/s: 1.5.0
Assignee: Matt Burgess (was: David Handermann)
Resolution: Fixed
> Add setRequestHeaderSize to restrict incoming request headers
> -------------------------------------------------------------
>
> Key: NIFI-4202
> URL: https://issues.apache.org/jira/browse/NIFI-4202
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Affects Versions: 1.3.0, 0.7.4
> Reporter: Andy LoPresto
> Assignee: Matt Burgess
> Priority: Major
> Labels: http, jetty, security
> Fix For: 1.5.0
>
> Attachments: Screen Shot 2017-07-18 at 1.02.52 PM.png, Screen Shot 2017-07-18 at 1.02.56 PM.png, Screen Shot 2017-07-18 at 12.56.58 PM.png, Screen Shot 2017-07-18 at 12.57.08 PM.png
>
>
> As reported on the mailing list, when NiFi is running in unsecured mode (HTTP), a request can be intercepted (or simply be a malicious request from origin) and have a large request header injected, which can result in Jetty throwing an {{OutOfMemoryError}}.
> This was reported with reference to the {{NCM}}, which indicates a {{0.x}} release. Normal HTTP requests to the API will fail with HTTP response {{413}} - {{Request Entity Too Large}}. Further investigation is needed as this may only be related to cluster operations.
> The {{setRequestHeaderSize}} method [1] should allow for prevention of this issue.
> (IP address redacted)
> {code}
> 2017-03-07 03:44:03,522 WARN [NiFi Web Server-22]
> o.a.n.c.m.impl.HttpRequestReplicatorImpl Node request for
> [id=99a65e79-b856-4e43-9056-1451714498fc, apiAddress=w.x.y.z,
> apiPort=38484, socketAddress=w.x.y.z, socketPort=39494,
> siteToSiteAddress=w.x.y.z, siteToSitePort=null] encountered
> exception: java.util.concurrent.ExecutionException:
> java.lang.OutOfMemoryError: Java heap space
> {code}
> [1] http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/server/HttpConfiguration.html#setRequestHeaderSize-int-
--
This message was sent by Atlassian Jira
(v8.20.1#820001)