-
Bug Report
-
Resolution: Fixed
-
L3 - Default
-
None
-
None
-
Not defined
Brief summary of the bug. What is it ? Where is it ?
When a request is made to Optimize that contains a header with value larger than 8kb, the server rejects this request with a 413.
This looks to be an underlying default limit of the Jetty server, as configured using the _requestHeaderSize parameter.
In practice, Optimize can set multiple cookies, moreso in the event that the user is part of many organisations in SaaS. When the FE sends subsequent requests, these cookies are all included in a single cookie header, which is vulnerable to hitting such limits.
More context: https://camunda.slack.com/archives/CKZK2E7RP/p1685126341908689
Steps to reproduce:
- Be a member of multiple SaaS organisations (hard to say, as it also depends on the permissions of each org). If your response headers contain three service token cookies, this is a good indicator that you have reached enough orgs to reproduce this
- Try to access Optimize
Actual result:
- 413 seen in the browser
Expected result:
- User should be able to access Optimize
Notes:
- If this can be resolved by a jetty configuration change"
- We should also allow the specific value to be configurable within Optimize
- We should increase the default max request header size. Default is 8kb for jetty, but perhaps we could double this quite safely without that being too much increased memory
- Any fix should be backported to maintenance/3.10
- We should allow this to be configured by env var
Testing Notes:
1) Send a request to Optimize via Postman, adding a new random header with several characters.
2) On the right hand side in Postman, click on the code snippet tab, choose curl, copy the entire request as shown from curl
3) Open a terminal, paste the copied curl code and add this to the end of the request:
-w '%{response_code} %{size_request}'
e.g.
curl <my_really_long_request_with_all_headers_and_stuff> -w '%{response_code} %{size_request}'
4) Observe the resulting response code and size_request. It should be 431 if the size_request is bigger than the configured CAMUNDA_OPTIMIZE_CONTAINER_MAX_REQUEST_HEADER_SIZE_BYTES or 200/204 if it's less. Please note that this number is not very exact, since it also considers the URL.
The env var is CAMUNDA_OPTIMIZE_CONTAINER_MAX_REQUEST_HEADER_SIZE_BYTES