Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-13051

Engine-rest maxResults has no default value which may cause DoS

    XMLWordPrintable

Details

    • Bug Report
    • Resolution: None
    • L3 - Default
    • None
    • 7.13.0
    • engine

    Description

      Environment (Required on creation):

      Camunda BPM 7.13

      Description (Required on creation; please attach any relevant screenshots, stacktraces, log files, etc. to the ticket):

      Proper request to history REST API may cause server to go down.

      Steps to reproduce:

      1. Create a lot of process-instances
      2. Make an GET request to /engine-rest/history/process-instance without any parameters

      Observed Behavior:

      Server goes down.

      Expected behavior:

      Server successfully makes a response.

      Root Cause

      Almost all REST APIs has no default value for maxResults parameter, causing them to return all results by default. This can cause a huge response body for history API responses and, in some cases, for other APIs. Huge response body may lead to several java, http-server or http-protocol level errors causing engine service or the whole application eventually to go down.

      Solution Ideas:

      Provide reasonable default value for maxResults parameter in all REST APIs or make this parameter mandatory and return 400 if it is absent.

       

      mgm-controller-panel

        This is the controller panel for Smart Panels app

        Attachments

          Activity

            People

              miklas.boskamp Miklas Boskamp
              ov7a Vlad Chesnokov
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Salesforce