Uploaded image for project: 'Camunda Optimize'
  1. Camunda Optimize
  2. OPT-7026

Optimize cannot accept request headers larger than 8kb

    XMLWordPrintable

Details

    • Bug Report
    • Resolution: Fixed
    • L3 - Default
    • 3.11.0-alpha3, 3.10.4, 3.9.6
    • None
    • backend
    • None
    • Not defined

    Description

      Brief summary of the bug. What is it ? Where is it ?

      When a request is made to Optimize that contains a header with value larger than 8kb, the server rejects this request with a 413.

      This looks to be an underlying default limit of the Jetty server, as configured using the _requestHeaderSize parameter.

      In practice, Optimize can set multiple cookies, moreso in the event that the user is part of many organisations in SaaS. When the FE sends subsequent requests, these cookies are all included in a single cookie header, which is vulnerable to hitting such limits.

      More context: https://camunda.slack.com/archives/CKZK2E7RP/p1685126341908689 

      Steps to reproduce:

      • Be a member of multiple SaaS organisations (hard to say, as it also depends on the permissions of each org). If your response headers contain three service token cookies, this is a good indicator that you have reached enough orgs to reproduce this
      • Try to access Optimize

      Actual result:

      • 413 seen in the browser

      Expected result:

      • User should be able to access Optimize

      Notes:

      • If this can be resolved by a jetty configuration change"
        • We should also allow the specific value to be configurable within Optimize
        • We should increase the default max request header size. Default is 8kb for jetty, but perhaps we could double this quite safely without that being too much increased memory
      • Any fix should be backported to maintenance/3.10
      • We should allow this to be configured by env var

       

      Testing Notes: 

      1) Send a request to Optimize via Postman, adding a new random header with several characters.

      2) On the right hand side in Postman, click on the code snippet tab, choose curl, copy the entire request as shown from curl

      3) Open a terminal, paste the copied curl code and add this to the end of the request: 

      -w '%{response_code} %{size_request}'

      e.g. 

      curl <my_really_long_request_with_all_headers_and_stuff> -w '%{response_code} %{size_request}'

      4) Observe the resulting response code and size_request. It should be 431 if the size_request is bigger than the configured CAMUNDA_OPTIMIZE_CONTAINER_MAX_REQUEST_HEADER_SIZE_BYTES or 200/204 if it's less. Please note that this number is not very exact, since it also considers the URL.

      The env var is CAMUNDA_OPTIMIZE_CONTAINER_MAX_REQUEST_HEADER_SIZE_BYTES

       

      mgm-controller-panel

        This is the controller panel for Smart Panels app

        Attachments

          Activity

            People

              Unassigned Unassigned
              joshua.windels Joshua Windels
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Salesforce