Merge pull request #418 from apache/maintenance/FELIX-6776-Introduce-way-to-restrict-request-and-response-size

FELIX-6776 introduce way to restrict request and response size

Author: paulrutter

http/README.md

@@ -144,7 +144,7 @@
             <version>1.0.0</version>
             <scope>provided</scope>
         </dependency>
-    <!-- Testing -->
+        <!-- Testing -->
         <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>
@@ -154,7 +154,7 @@
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-core</artifactId>
-            <version>5.7.0</version>
+            <version>5.17.0</version>
             <scope>test</scope>
         </dependency>
         <dependency>

http/base/pom.xml

@@ -203,11 +203,23 @@ public ObjectClassDefinition getObjectClassDefinition( String id, String locale
                 bundle.getBundleContext().getProperty(JettyConfig.FELIX_JETTY_RESPONSE_BUFFER_SIZE)));
 
         adList.add(new AttributeDefinitionImpl(JettyConfig.FELIX_JETTY_MAX_FORM_SIZE,
-                "Maximum Form Size",
+                "Maximum Form Size in bytes",
                 "Size of Body for submitted form content. Default is 200KB.",
                 204800,
                 bundle.getBundleContext().getProperty(JettyConfig.FELIX_JETTY_MAX_FORM_SIZE)));
 
+        adList.add(new AttributeDefinitionImpl(JettyConfig.FELIX_JETTY_REQUEST_SIZE_LIMIT,
+                "Maximum request size in bytes",
+                "Maximum size of the request body in bytes. Default is unlimited.",
+                204800,
+                bundle.getBundleContext().getProperty(JettyConfig.FELIX_JETTY_REQUEST_SIZE_LIMIT)));
+
+        adList.add(new AttributeDefinitionImpl(JettyConfig.FELIX_JETTY_RESPONSE_SIZE_LIMIT,
+                "Maximum response size in bytes",
+                "Maximum size of the response body in bytes. Default is unlimited.",
+                204800,
+                bundle.getBundleContext().getProperty(JettyConfig.FELIX_JETTY_RESPONSE_SIZE_LIMIT)));
+
         adList.add(new AttributeDefinitionImpl(JettyConfig.FELIX_HTTP_PATH_EXCLUSIONS,
                 "Path Exclusions",
                 "Contains a list of context path prefixes. If a Web Application Bundle is started with a context path matching any " +

http/jetty12/src/main/java/org/apache/felix/http/jetty/internal/ConfigMetaTypeProvider.java

@@ -106,9 +106,15 @@ public final class JettyConfig
     /** Felix specific property to configure the request buffer size. Default is 24KB */
     public static final String FELIX_JETTY_RESPONSE_BUFFER_SIZE = "org.apache.felix.http.jetty.responseBufferSize";
 
-    /** Felix specific property to configure the max form size. Default is 200KB */
+    /** Felix specific property to configure the max form size. Default is 200KB. */
     public static final String FELIX_JETTY_MAX_FORM_SIZE = "org.apache.felix.http.jetty.maxFormSize";
 
+    /** Felix specific property to configure the request size limit. Default is unlimited. See https://jetty.org/docs/jetty/12/programming-guide/server/http.html#handler-use-size-limit */
+    public static final String FELIX_JETTY_REQUEST_SIZE_LIMIT = "org.apache.felix.http.jetty.requestSizeLimit";
+
+    /** Felix specific property to configure the response size limit. Default is unlimited. See https://jetty.org/docs/jetty/12/programming-guide/server/http.html#handler-use-size-limit */
+    public static final String FELIX_JETTY_RESPONSE_SIZE_LIMIT = "org.apache.felix.http.jetty.responseSizeLimit";
+
     /** Felix specific property to enable Jetty MBeans. Valid values are "true", "false". Default is false */
     public static final String FELIX_HTTP_MBEANS = "org.apache.felix.http.mbeans";
 
@@ -493,6 +499,16 @@ public int getMaxFormSize()
         return getIntProperty(FELIX_JETTY_MAX_FORM_SIZE, 200 * 1024);
     }
 
+    public int getRequestSizeLimit()
+    {
+        return getIntProperty(FELIX_JETTY_REQUEST_SIZE_LIMIT, -1);
+    }
+
+    public int getResponseSizeLimit()
+    {
+        return getIntProperty(FELIX_JETTY_RESPONSE_SIZE_LIMIT, -1);
+    }
+
     /**
      * Returns the configured session timeout in minutes or zero if not
      * configured.

http/jetty12/src/main/java/org/apache/felix/http/jetty/internal/JettyConfig.java

@@ -56,6 +56,7 @@
 import org.eclipse.jetty.server.ServerConnector;
 import org.eclipse.jetty.server.SslConnectionFactory;
 import org.eclipse.jetty.server.handler.ContextHandlerCollection;
+import org.eclipse.jetty.server.handler.SizeLimitHandler;
 import org.eclipse.jetty.server.handler.StatisticsHandler;
 import org.eclipse.jetty.server.handler.gzip.GzipHandler;
 import org.eclipse.jetty.session.HouseKeeper;
@@ -324,6 +325,14 @@ private void initializeJetty() throws Exception
             context.addServlet(holder, "/*");
             context.setMaxFormContentSize(this.config.getMaxFormSize());
 
+            int requestSizeLimit = this.config.getRequestSizeLimit();
+            int responseSizeLimit = this.config.getResponseSizeLimit();
+            if (requestSizeLimit > -1 || responseSizeLimit > -1) {
+                // Use SizeLimitHandler to limit the size of the request body and response
+                // -1 is unlimited
+                context.setHandler(new SizeLimitHandler(requestSizeLimit, responseSizeLimit));
+            }
+
             if (this.config.isRegisterMBeans())
             {
                 this.mbeanServerTracker = new MBeanServerTracker(this.context, this.server);

http/jetty12/src/main/java/org/apache/felix/http/jetty/internal/JettyService.java

@@ -114,18 +114,18 @@ public void testFormSizeLimit() throws Exception {
         formFieldsLimitExceeded.add(new Fields.Field("key", "valueoverlimit")); // over limit of 10 bytes
         ContentResponse responseExceeded = httpClient.FORM(uri, formFieldsLimitExceeded);
 
-        // HTTP 500 thrown, because req.getParameter("key") throws an IOEx
+        // HTTP 500 thrown, because req.getParameter("key") throws an IOException
         assertEquals(500, responseExceeded.getStatus());
 
         httpClient.close();
     }
 
-     static final class HelloWorldServlet extends HttpServlet {
-         @Override
-         protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
-             req.getParameter("key"); // this triggers the maxFormSize check
-             resp.setStatus(200);
-             resp.getWriter().write("OK");
-         }
+    static final class HelloWorldServlet extends HttpServlet {
+        @Override
+        protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+            req.getParameter("key"); // this triggers the maxFormSize check
+            resp.setStatus(200);
+            resp.getWriter().write("OK");
+        }
     }
-}
+}

http/jetty12/src/test/java/org/apache/felix/http/jetty/it/JettyMaxFormSizeIT.java

@@ -0,0 +1,145 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.felix.http.jetty.it;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.ops4j.pax.exam.CoreOptions.mavenBundle;
+import static org.ops4j.pax.exam.cm.ConfigurationAdminOptions.newConfiguration;
+
+import java.io.IOException;
+import java.net.URI;
+import java.util.Hashtable;
+import java.util.Map;
+
+import javax.inject.Inject;
+import jakarta.servlet.Servlet;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.client.ContentResponse;
+import org.eclipse.jetty.client.HttpClient;
+import org.eclipse.jetty.client.transport.HttpClientTransportOverHTTP;
+import org.eclipse.jetty.util.Fields;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.ops4j.pax.exam.Option;
+import org.ops4j.pax.exam.junit.PaxExam;
+import org.ops4j.pax.exam.spi.reactors.ExamReactorStrategy;
+import org.ops4j.pax.exam.spi.reactors.PerClass;
+import org.osgi.framework.BundleContext;
+import org.osgi.service.http.HttpService;
+import org.osgi.service.servlet.whiteboard.HttpWhiteboardConstants;
+
+@RunWith(PaxExam.class)
+@ExamReactorStrategy(PerClass.class)
+public class JettySizeLimitHandlerIT extends AbstractJettyTestSupport {
+    private static final int LIMIT_IN_BYTES = 10;
+
+    @Inject
+    protected BundleContext bundleContext;
+
+    @Override
+    protected Option[] additionalOptions() throws IOException {
+        String jettyVersion = System.getProperty("jetty.version", JETTY_VERSION);
+        return new Option[] {
+                spifly(),
+
+                // bundles for the server side
+                mavenBundle().groupId("org.eclipse.jetty.ee10").artifactId("jetty-ee10-webapp").version(jettyVersion),
+                mavenBundle().groupId("org.eclipse.jetty").artifactId("jetty-ee").version(jettyVersion),
+                mavenBundle().groupId("org.eclipse.jetty.ee10").artifactId("jetty-ee10-servlet").version(jettyVersion),
+                mavenBundle().groupId("org.eclipse.jetty").artifactId("jetty-xml").version(jettyVersion),
+
+                // additional bundles for the client side
+                mavenBundle().groupId("org.eclipse.jetty").artifactId("jetty-alpn-client").version(jettyVersion),
+                mavenBundle().groupId("org.eclipse.jetty").artifactId("jetty-client").version(jettyVersion)
+        };
+    }
+
+    @Override
+    protected Option felixHttpConfig(int httpPort) {
+        return newConfiguration("org.apache.felix.http")
+                .put("org.osgi.service.http.port", httpPort)
+                .put("org.apache.felix.http.jetty.requestSizeLimit", LIMIT_IN_BYTES) // 10 bytes limit for the request
+                .put("org.apache.felix.http.jetty.responseSizeLimit", LIMIT_IN_BYTES) // 10 bytes limit for the response
+                .asOption();
+    }
+
+    @Before
+    public void setup(){
+        assertNotNull(bundleContext);
+        bundleContext.registerService(Servlet.class, new HelloWorldServletWithinLimit(), new Hashtable<>(Map.of(
+                HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_PATTERN, "/withinlimit/*"
+        )));
+        bundleContext.registerService(Servlet.class, new HelloWorldServletExceedingLimit(), new Hashtable<>(Map.of(
+                HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_PATTERN, "/exceedinglimit/*"
+        )));
+    }
+
+
+    @Test
+    public void testRequestResponseLimits() throws Exception {
+        HttpClientTransportOverHTTP transport = new HttpClientTransportOverHTTP();
+        HttpClient httpClient = new HttpClient(transport);
+        httpClient.start();
+
+        Object value = bundleContext.getServiceReference(HttpService.class).getProperty("org.osgi.service.http.port");
+        int httpPort = Integer.parseInt((String) value);
+
+        Fields formFields = new Fields();
+        formFields.add(new Fields.Field("key", "value")); // under 10 bytes
+        ContentResponse responseWithinLimit = httpClient.FORM(new URI(String.format("http://localhost:%d/withinlimit/a", httpPort)), formFields);
+
+        // Request limit ok, response limit ok
+        assertEquals(200, responseWithinLimit.getStatus());
+        assertEquals("OK", responseWithinLimit.getContentAsString());
+
+        // Request limit ok, response limit exceeded
+        // org.eclipse.jetty.http.HttpException$RuntimeException: 500: Response body is too large: 17>10
+        ContentResponse responseExceedingLimit = httpClient.FORM(new URI(String.format("http://localhost:%d/exceedinglimit/a", httpPort)), formFields);
+        assertEquals(500, responseExceedingLimit.getStatus());
+
+        Fields formFieldsLimitExceeded = new Fields();
+        formFieldsLimitExceeded.add(new Fields.Field("key", "valueoverlimit")); // over limit of 10 bytes
+        ContentResponse responseExceeded = httpClient.FORM(new URI(String.format("http://localhost:%d/withinlimit/a", httpPort)), formFieldsLimitExceeded);
+
+        // Request limit exceeded, HTTP 413 directly from Jetty
+        assertEquals(413, responseExceeded.getStatus());
+
+        httpClient.close();
+    }
+
+    static final class HelloWorldServletWithinLimit extends HttpServlet {
+        @Override
+        protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+            resp.setStatus(200);
+            resp.getWriter().write("OK");
+        }
+    }
+
+    static final class HelloWorldServletExceedingLimit extends HttpServlet {
+        @Override
+        protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+            resp.setStatus(200);
+            resp.getWriter().write("responseoverlimit");
+        }
+    }
+}