[AMQ-7327] Use maxFrameSize to limit HTTP content length

This commit is contained in:
Jean-Baptiste Onofré 2019-11-06 11:17:34 +01:00
parent d0b0a6495e
commit 50a94cbf12
4 changed files with 79 additions and 0 deletions

View File

@ -48,9 +48,11 @@ public class HttpTransportFactory extends TransportFactory {
Map<String, Object> jettyOptions = IntrospectionSupport.extractProperties(options, "jetty."); Map<String, Object> jettyOptions = IntrospectionSupport.extractProperties(options, "jetty.");
Map<String, Object> httpOptions = IntrospectionSupport.extractProperties(options, "http."); Map<String, Object> httpOptions = IntrospectionSupport.extractProperties(options, "http.");
Map<String, Object> transportOptions = IntrospectionSupport.extractProperties(options, "transport."); Map<String, Object> transportOptions = IntrospectionSupport.extractProperties(options, "transport.");
Map<String, Object> wireFormatOptions = IntrospectionSupport.extractProperties(options, "wireFormat.");
result.setJettyOptions(jettyOptions); result.setJettyOptions(jettyOptions);
result.setTransportOption(transportOptions); result.setTransportOption(transportOptions);
result.setHttpOptions(httpOptions); result.setHttpOptions(httpOptions);
result.setWireFormatOptions(wireFormatOptions);
return result; return result;
} catch (URISyntaxException e) { } catch (URISyntaxException e) {
throw IOExceptionSupport.create(e); throw IOExceptionSupport.create(e);

View File

@ -18,6 +18,7 @@ package org.apache.activemq.transport.http;
import java.net.InetSocketAddress; import java.net.InetSocketAddress;
import java.net.URI; import java.net.URI;
import java.util.HashMap;
import java.util.Map; import java.util.Map;
import org.apache.activemq.command.BrokerInfo; import org.apache.activemq.command.BrokerInfo;
@ -38,6 +39,7 @@ public class HttpTransportServer extends WebTransportServerSupport {
private TextWireFormat wireFormat; private TextWireFormat wireFormat;
private final HttpTransportFactory transportFactory; private final HttpTransportFactory transportFactory;
private Map<String, Object> wireFormatOptions = new HashMap<>();
public HttpTransportServer(URI uri, HttpTransportFactory factory) { public HttpTransportServer(URI uri, HttpTransportFactory factory) {
super(uri); super(uri);
@ -93,6 +95,7 @@ public class HttpTransportServer extends WebTransportServerSupport {
contextHandler.setAttribute("wireFormat", getWireFormat()); contextHandler.setAttribute("wireFormat", getWireFormat());
contextHandler.setAttribute("transportFactory", transportFactory); contextHandler.setAttribute("transportFactory", transportFactory);
contextHandler.setAttribute("transportOptions", transportOptions); contextHandler.setAttribute("transportOptions", transportOptions);
contextHandler.setAttribute("wireFormatOptions", wireFormatOptions);
//AMQ-6182 - disabling trace by default //AMQ-6182 - disabling trace by default
configureTraceMethod((ConstraintSecurityHandler) contextHandler.getSecurityHandler(), configureTraceMethod((ConstraintSecurityHandler) contextHandler.getSecurityHandler(),
@ -171,6 +174,10 @@ public class HttpTransportServer extends WebTransportServerSupport {
super.setTransportOption(transportOptions); super.setTransportOption(transportOptions);
} }
public void setWireFormatOptions(Map<String, Object> wireFormatOptions) {
this.wireFormatOptions = wireFormatOptions;
}
@Override @Override
public boolean isSslServer() { public boolean isSslServer() {
return false; return false;

View File

@ -60,6 +60,7 @@ public class HttpTunnelServlet extends HttpServlet {
private ConcurrentMap<String, BlockingQueueTransport> clients = new ConcurrentHashMap<String, BlockingQueueTransport>(); private ConcurrentMap<String, BlockingQueueTransport> clients = new ConcurrentHashMap<String, BlockingQueueTransport>();
private final long requestTimeout = 30000L; private final long requestTimeout = 30000L;
private HashMap<String, Object> transportOptions; private HashMap<String, Object> transportOptions;
private HashMap<String, Object> wireFormatOptions;
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
@Override @Override
@ -74,6 +75,7 @@ public class HttpTunnelServlet extends HttpServlet {
throw new ServletException("No such attribute 'transportFactory' available in the ServletContext"); throw new ServletException("No such attribute 'transportFactory' available in the ServletContext");
} }
transportOptions = (HashMap<String, Object>)getServletContext().getAttribute("transportOptions"); transportOptions = (HashMap<String, Object>)getServletContext().getAttribute("transportOptions");
wireFormatOptions = (HashMap<String, Object>)getServletContext().getAttribute("wireFormatOptions");
wireFormat = (TextWireFormat)getServletContext().getAttribute("wireFormat"); wireFormat = (TextWireFormat)getServletContext().getAttribute("wireFormat");
if (wireFormat == null) { if (wireFormat == null) {
wireFormat = createWireFormat(); wireFormat = createWireFormat();
@ -118,6 +120,10 @@ public class HttpTunnelServlet extends HttpServlet {
@Override @Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
if (wireFormatOptions.get("maxFrameSize") != null && request.getContentLength() > Integer.parseInt(wireFormatOptions.get("maxFrameSize").toString())) {
throw new ServletException("maxFrameSize exceeded");
}
InputStream stream = request.getInputStream(); InputStream stream = request.getInputStream();
String contentType = request.getContentType(); String contentType = request.getContentType();
if (contentType != null && contentType.equals("application/x-gzip")) { if (contentType != null && contentType.equals("application/x-gzip")) {

View File

@ -0,0 +1,64 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.activemq.transport.http;
import org.apache.activemq.ActiveMQConnectionFactory;
import org.apache.activemq.broker.BrokerService;
import org.apache.activemq.command.ActiveMQQueue;
import org.apache.commons.lang.StringUtils;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import javax.jms.Connection;
import javax.jms.JMSException;
import javax.jms.MessageProducer;
import javax.jms.Session;
import javax.jms.TextMessage;
public class HttpMaxFrameSizeTest {
protected BrokerService brokerService;
@Before
public void setup() throws Exception {
brokerService = new BrokerService();
brokerService.setPersistent(false);
brokerService.setUseJmx(false);
brokerService.deleteAllMessages();
brokerService.addConnector("http://localhost:8888?wireFormat.maxFrameSize=10");
brokerService.start();
brokerService.waitUntilStarted();
}
@After
public void teardown() throws Exception {
brokerService.stop();
}
@Test(expected = JMSException.class)
public void sendTest() throws Exception {
ActiveMQConnectionFactory connectionFactory = new ActiveMQConnectionFactory("http://localhost:8888");
Connection connection = connectionFactory.createConnection();
Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
MessageProducer producer = session.createProducer(new ActiveMQQueue("test"));
String payload = StringUtils.repeat("*", 2000);
TextMessage textMessage = session.createTextMessage(payload);
producer.send(textMessage);
}
}