[GitHub] nifi pull request #2991: NIFI-3469: multipart request support added to Handl...

Wed, 19 Sep 2018 09:11:49 -0700 

Github user alopresto commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2991#discussion_r218868215
  
    --- Diff: 
nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/HandleHttpRequest.java
 ---
    @@ -521,161 +553,221 @@ public void onTrigger(final ProcessContext context, 
final ProcessSession session
     
             final long start = System.nanoTime();
             final HttpServletRequest request = container.getRequest();
    -        FlowFile flowFile = session.create();
    -        try (OutputStream flowFileOut = session.write(flowFile)) {
    -            StreamUtils.copy(request.getInputStream(), flowFileOut);
    -        } catch (final IOException e) {
    -            // There may be many reasons which can produce an IOException 
on the HTTP stream and in some of them, eg.
    -            // bad requests, the connection to the client is not closed. 
In order to address also these cases, we try
    -            // and answer with a BAD_REQUEST, which lets the client know 
that the request has not been correctly
    -            // processed and makes it aware that the connection can be 
closed.
    -            getLogger().error("Failed to receive content from HTTP Request 
from {} due to {}",
    -                    new Object[]{request.getRemoteAddr(), e});
    -            session.remove(flowFile);
     
    -            try {
    -                HttpServletResponse response = container.getResponse();
    -                response.sendError(Status.BAD_REQUEST.getStatusCode());
    -                response.flushBuffer();
    -                container.getContext().complete();
    -            } catch (final IOException ioe) {
    -                getLogger().warn("Failed to send HTTP response to {} due 
to {}",
    -                        new Object[]{request.getRemoteAddr(), ioe});
    +        if (!Strings.isNullOrEmpty(request.getContentType()) && 
request.getContentType().contains(MIME_TYPE__MULTIPART_FORM_DATA)) {
    +          final long maxRequestSize = 
context.getProperty(MAX_REQUEST_SIZE).asLong();
    +          request.setAttribute(Request.__MULTIPART_CONFIG_ELEMENT, new 
MultipartConfigElement("/tmp", maxRequestSize, maxRequestSize, 0));
    --- End diff --
    
    This also opens up a lot of security concerns. We need to be very careful 
about how we handle, sanitize, trust, store, and display this data. 
    
    Some good starting places for reading:
    * https://www.owasp.org/index.php/Deserialization_of_untrusted_data
    * https://www.owasp.org/index.php/Unrestricted_File_Upload
    * https://www.owasp.org/index.php/Insecure_Temporary_File
    * https://www.owasp.org/index.php/Protect_FileUpload_Against_Malicious_File


---

Reply via email to