You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Andy LoPresto (JIRA)" <ji...@apache.org> on 2017/07/18 20:06:00 UTC

[jira] [Updated] (NIFI-4202) Add setRequestHeaderSize to restrict incoming request headers

     [ https://issues.apache.org/jira/browse/NIFI-4202?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andy LoPresto updated NIFI-4202:
--------------------------------
    Attachment: Screen Shot 2017-07-18 at 1.02.56 PM.png
                Screen Shot 2017-07-18 at 1.02.52 PM.png
                Screen Shot 2017-07-18 at 12.57.08 PM.png
                Screen Shot 2017-07-18 at 12.56.58 PM.png

> Add setRequestHeaderSize to restrict incoming request headers
> -------------------------------------------------------------
>
>                 Key: NIFI-4202
>                 URL: https://issues.apache.org/jira/browse/NIFI-4202
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 1.3.0, 0.7.4
>            Reporter: Andy LoPresto
>              Labels: http, jetty, security
>         Attachments: Screen Shot 2017-07-18 at 1.02.52 PM.png, Screen Shot 2017-07-18 at 1.02.56 PM.png, Screen Shot 2017-07-18 at 12.56.58 PM.png, Screen Shot 2017-07-18 at 12.57.08 PM.png
>
>
> As reported on the mailing list, when NiFi is running in unsecured mode (HTTP), a request can be intercepted (or simply be a malicious request from origin) and have a large request header injected, which can result in Jetty throwing an {{OutOfMemoryError}}. 
> This was reported with reference to the {{NCM}}, which indicates a {{0.x}} release. Normal HTTP requests to the API will fail with HTTP response {{413}} - {{Request Entity Too Large}}. Further investigation is needed as this may only be related to cluster operations. 
> The {{setRequestHeaderSize}} method [1] should allow for prevention of this issue. 
> (IP address redacted)
> {code}
> 2017-03-07 03:44:03,522 WARN [NiFi Web Server-22]
> o.a.n.c.m.impl.HttpRequestReplicatorImpl Node request for
> [id=99a65e79-b856-4e43-9056-1451714498fc, apiAddress=w.x.y.z,
> apiPort=38484, socketAddress=w.x.y.z, socketPort=39494,
> siteToSiteAddress=w.x.y.z, siteToSitePort=null] encountered
> exception: java.util.concurrent.ExecutionException:
> java.lang.OutOfMemoryError: Java heap space
> {code}
> [1] http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/server/HttpConfiguration.html#setRequestHeaderSize-int-



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)