Open reganxt opened 3 weeks ago
Yes, Jersey tries to read the whole String when you call Response.readEntity(String.class)
.
It might be possible to add a property to optionally limit the size of the entity.
However, this stacktrace does not seem to show the actual issue with a long header, rather the result of full memory when the entity is read. (SSLSocketInputRecord.readHeader() actually reads 5 bytes). I am not sure we can prevent reading the headers by the JDK as the headers are parsed by HttpUrlConnection#getHeaderFields()
@jansupol which property should be used to limit the reponse header size?
We've observer an issue with Jersey 2.40+。When the Jersey client is used to access the server, if the server returns a malicious request header (containing an oversized packet), the client process will be dumped, causing a DoS attack. A malicious server adds a 1 GB packet to the response header. The payload is as follows:
When the client uses Jersey for HTTP connection, the response header is loaded to the memory. As a result, a dump occurs. The stack is as follows: