Engine-rest maxResults has no default value which may cause DoS

XMLWordPrintable

    • Type: Bug Report
    • Resolution: None
    • Priority: L3 - Default
    • None
    • Affects Version/s: 7.13.0
    • Component/s: engine

      Environment (Required on creation):

      Camunda BPM 7.13

      Description (Required on creation; please attach any relevant screenshots, stacktraces, log files, etc. to the ticket):

      Proper request to history REST API may cause server to go down.

      Steps to reproduce:

      1. Create a lot of process-instances
      2. Make an GET request to /engine-rest/history/process-instance without any parameters

      Observed Behavior:

      Server goes down.

      Expected behavior:

      Server successfully makes a response.

      Root Cause

      Almost all REST APIs has no default value for maxResults parameter, causing them to return all results by default. This can cause a huge response body for history API responses and, in some cases, for other APIs. Huge response body may lead to several java, http-server or http-protocol level errors causing engine service or the whole application eventually to go down.

      Solution Ideas:

      Provide reasonable default value for maxResults parameter in all REST APIs or make this parameter mandatory and return 400 if it is absent.

       

            Assignee:
            Miklas Boskamp
            Reporter:
            Vlad Chesnokov
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: