Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-4202

Add setRequestHeaderSize to restrict incoming request headers

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.3.0, 0.7.4
    • Fix Version/s: None
    • Component/s: Core Framework
    • Labels:

      Description

      As reported on the mailing list, when NiFi is running in unsecured mode (HTTP), a request can be intercepted (or simply be a malicious request from origin) and have a large request header injected, which can result in Jetty throwing an OutOfMemoryError.

      This was reported with reference to the NCM, which indicates a 0.x release. Normal HTTP requests to the API will fail with HTTP response 413 - Request Entity Too Large. Further investigation is needed as this may only be related to cluster operations.

      The setRequestHeaderSize method [1] should allow for prevention of this issue.

      (IP address redacted)

      2017-03-07 03:44:03,522 WARN [NiFi Web Server-22]
      o.a.n.c.m.impl.HttpRequestReplicatorImpl Node request for
      [id=99a65e79-b856-4e43-9056-1451714498fc, apiAddress=w.x.y.z,
      apiPort=38484, socketAddress=w.x.y.z, socketPort=39494,
      siteToSiteAddress=w.x.y.z, siteToSitePort=null] encountered
      exception: java.util.concurrent.ExecutionException:
      java.lang.OutOfMemoryError: Java heap space
      

      [1] http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/server/HttpConfiguration.html#setRequestHeaderSize-int-

        Attachments

        1. Screen Shot 2017-07-18 at 1.02.52 PM.png
          423 kB
          Andy LoPresto
        2. Screen Shot 2017-07-18 at 12.56.58 PM.png
          389 kB
          Andy LoPresto
        3. Screen Shot 2017-07-18 at 1.02.56 PM.png
          372 kB
          Andy LoPresto
        4. Screen Shot 2017-07-18 at 12.57.08 PM.png
          341 kB
          Andy LoPresto

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              alopresto Andy LoPresto
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: