feat: added filter for post request size and disabled chunked requests

* add a simple filter which prevents BSI issue #55 (Missing request size limitation leads to memory exhaustion) * cleanup * cleanup (sorry) * feat: add a filter which filters large requests and chunked reuqests * *feat: Removed HTTP method filter from PostSizeLimitFilter. PostSizeLimitFilter was changed to RequestSizeLimitFilter. Added check to deny all chunked request independently of their HTTP method. * Manually merged request size filter with master branch * feat: Added BSI's Chunked-Encoding test to test suite Co-authored-by: Maximilian Laue <65015235+mlaue-tech@users.noreply.github.com> Co-authored-by: Felix Dittrich <31076102+f11h@users.noreply.github.com> Co-authored-by: Maximilian Laue <Maximilian.Laue@t-systems.com> Co-authored-by: Felix Dittrich <felix.dittrich@t-systems.com>
covid-be-app · Jul 22, 2020 · 9faea01 · 9faea01
1 parent 8ad9b32
commit 9faea01
Show file tree

Hide file tree

Showing 6 changed files with 192 additions and 43 deletions.
diff --git a/src/main/java/app/coronawarn/verification/config/RequestSizeLimitFilter.java b/src/main/java/app/coronawarn/verification/config/RequestSizeLimitFilter.java
@@ -0,0 +1,68 @@
+/*
+ * Corona-Warn-App / cwa-verification
+ *
+ * (C) 2020, T-Systems International GmbH
+ *
+ * Deutsche Telekom AG, SAP AG and all other contributors /
+ * copyright owners license this file to you under the Apache
+ * License, Version 2.0 (the "License"); you may not use this
+ * file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package app.coronawarn.verification.config;
+
+import java.io.IOException;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import liquibase.util.StringUtils;
+import lombok.NonNull;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+/**
+ * A filter to avoid requests with a large content and chunked requests.
+ */
+@Component
+@Slf4j
+@RequiredArgsConstructor
+public class RequestSizeLimitFilter extends OncePerRequestFilter {
+
+  @NonNull
+  private final VerificationApplicationConfig verificationApplicationConfig;
+
+  @Override
+  protected void doFilterInternal(HttpServletRequest request,
+                                  HttpServletResponse response, FilterChain filterChain)
+    throws ServletException, IOException {
+    long maxPostSize = verificationApplicationConfig.getRequest().getSizelimit();
+    if (request.getContentLengthLong() > maxPostSize || isChunkedRequest(request)) {
+      log.warn("The request size is too large or the request was sent via chunks.");
+      response.setStatus(HttpStatus.NOT_ACCEPTABLE.value());
+      return;
+    }
+    filterChain.doFilter(request, response);
+  }
+
+  private boolean isChunkedRequest(HttpServletRequest request) {
+    String header = request.getHeader(HttpHeaders.TRANSFER_ENCODING);
+
+    return !StringUtils.isEmpty(header) && header.equalsIgnoreCase("chunked");
+  }
+
+}
diff --git a/src/main/java/app/coronawarn/verification/config/VerificationApplicationConfig.java b/src/main/java/app/coronawarn/verification/config/VerificationApplicationConfig.java
@@ -26,8 +26,8 @@
 import org.springframework.boot.context.properties.ConfigurationProperties;
 
 /**
- * This class and its nested subclasses are used to read in values from configuration file application.yml,
- * which is loaded via the '@EnableConfigurationProperties' annotation from SpringBootApplication main class.
+ * This class and its nested subclasses are used to read in values from configuration file application.yml, which is
+ * loaded via the '@EnableConfigurationProperties' annotation from SpringBootApplication main class.
  */
 @Getter
 @Setter
@@ -45,10 +45,10 @@ public class VerificationApplicationConfig {
   private AppSession appsession = new AppSession();
   private Entities entities = new Entities();
   private Jwt jwt = new Jwt();
+  private Request request = new Request();
 
   /**
-   * Configure the Tan with build property values and return the configured
-   * parameters.
+   * Configure the Tan with build property values and return the configured parameters.
    */
   @Getter
   @Setter
@@ -58,8 +58,7 @@ public static class Tan {
     private Valid valid = new Valid();
 
     /**
-     * Configure the Tele with build property values and return the configured
-     * parameters.
+     * Configure the Tele with build property values and return the configured parameters.
      */
     @Getter
     @Setter
@@ -69,8 +68,7 @@ public static class Tele {
       private RateLimiting rateLimiting = new RateLimiting();
 
       /**
-       * Configure the TeleValid with build property values and return the
-       * configured parameters.
+       * Configure the TeleValid with build property values and return the configured parameters.
        */
       @Getter
       @Setter
@@ -99,8 +97,7 @@ public static class RateLimiting {
     }
 
     /**
-     * Configure the Valid with build property values and return the configured
-     * parameters.
+     * Configure the Valid with build property values and return the configured parameters.
      */
     @Getter
     @Setter
@@ -112,8 +109,7 @@ public static class Valid {
   }
 
   /**
-   * Configure the AppSession with build property values and return the
-   * configured parameters.
+   * Configure the AppSession with build property values and return the configured parameters.
    */
   @Getter
   @Setter
@@ -124,8 +120,7 @@ public static class AppSession {
   }
 
   /**
-   * Configure the Entities with build property values and return the
-   * configured parameters.
+   * Configure the Entities with build property values and return the configured parameters.
    */
   @Getter
   @Setter
@@ -134,8 +129,7 @@ public static class Entities {
     private Cleanup cleanup = new Cleanup();
 
     /**
-     * Configure the Cleanup with build property values and return the
-     * configured parameters.
+     * Configure the Cleanup with build property values and return the configured parameters.
      */
     @Getter
     @Setter
@@ -147,8 +141,7 @@ public static class Cleanup {
   }
 
   /**
-   * Configure the Jwt with build property values and return the configured
-   * parameters.
+   * Configure the Jwt with build property values and return the configured parameters.
    */
   @Getter
   @Setter
@@ -157,4 +150,14 @@ public static class Jwt {
     private String server = "http://localhost:8080";
     private Boolean enabled = false;
   }
+
+  /**
+   * Configure the requests with build property values and return the configured parameters.
+   */
+  @Getter
+  @Setter
+  public static class Request {
+
+    private long sizelimit = 10000;
+  }
 }
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
@@ -14,6 +14,8 @@ spring:
       ddl-auto: validate
   liquibase:
     change-log: classpath:db/changelog.yml
+server:
+  max-post-size: 10000
 feign:
   client:
     config:
@@ -75,6 +77,8 @@ entities:
     rate: 3600000
 initialFakeDelayMilliseconds: 10
 fakeDelayMovingAverageSamples: 5
+request:
+  sizelimit: 10000
 
 cwa-testresult-server:
   url: http://localhost:8088