[CAM-13051] Engine-rest maxResults has no default value which may cause DoS - camunda JIRA

Type: Bug Report
Resolution: None
Priority: L3 - Default
Fix Version/s: None
Affects Version/s: 7.13.0
Component/s: engine
Labels:
- Rest-API
- rest
- rest-api

Environment (Required on creation):

Camunda BPM 7.13

Description (Required on creation; please attach any relevant screenshots, stacktraces, log files, etc. to the ticket):

Proper request to history REST API may cause server to go down.

Steps to reproduce:

Create a lot of process-instances
Make an GET request to /engine-rest/history/process-instance without any parameters

Observed Behavior:

Server goes down.

Expected behavior:

Server successfully makes a response.

Root Cause

Almost all REST APIs has no default value for maxResults parameter, causing them to return all results by default. This can cause a huge response body for history API responses and, in some cases, for other APIs. Huge response body may lead to several java, http-server or http-protocol level errors causing engine service or the whole application eventually to go down.

Solution Ideas:

Provide reasonable default value for maxResults parameter in all REST APIs or make this parameter mandatory and return 400 if it is absent.

This is the controller panel for Smart Panels app

Loading...

Type: Bug Report
Resolution: None
Priority: L3 - Default
Fix Version/s: None
Affects Version/s: 7.13.0
Component/s: engine
Labels:
- Rest-API
- rest
- rest-api

Environment (Required on creation):

Camunda BPM 7.13

Description (Required on creation; please attach any relevant screenshots, stacktraces, log files, etc. to the ticket):

Proper request to history REST API may cause server to go down.

Steps to reproduce:

Create a lot of process-instances
Make an GET request to /engine-rest/history/process-instance without any parameters

Observed Behavior:

Server goes down.

Expected behavior:

Server successfully makes a response.

Root Cause

Almost all REST APIs has no default value for maxResults parameter, causing them to return all results by default. This can cause a huge response body for history API responses and, in some cases, for other APIs. Huge response body may lead to several java, http-server or http-protocol level errors causing engine service or the whole application eventually to go down.

Solution Ideas:

Provide reasonable default value for maxResults parameter in all REST APIs or make this parameter mandatory and return 400 if it is absent.

This is the controller panel for Smart Panels app

Assignee:: Miklas Boskamp

Reporter:: Vlad Chesnokov

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 29/Jan/21 1:14 PM

Updated:: 12/Feb/21 1:43 PM

Resolved:: 12/Feb/21 1:43 PM

camunda BPM

Details

Description

Environment (Required on creation):

Description (Required on creation; please attach any relevant screenshots, stacktraces, log files, etc. to the ticket):

Steps to reproduce:

Observed Behavior:

Expected behavior:

Root Cause

Solution Ideas:

mgm-controller-panel

This is the controller panel for Smart Panels app

Attachments

Activity

Details

Description

Environment (Required on creation):

Description (Required on creation; please attach any relevant screenshots, stacktraces, log files, etc. to the ticket):

Steps to reproduce:

Observed Behavior:

Expected behavior:

Root Cause

Solution Ideas:

mgm-controller-panel

This is the controller panel for Smart Panels app

Attachments

Activity

People

Dates

Salesforce

People

Dates

Salesforce