Closed kotcrab closed 9 months ago
pendula95
commented
2 years ago This is because list of supported methods is loaded here https://github.com/vert-x3/vertx-dropwizard-metrics/blob/4ea6d3fa6dd7bc90375fc22c9ccac6f3ff817fdd/src/main/java/io/vertx/ext/dropwizard/impl/HttpMetricsImpl.java#L54
As this is not initiated NPE is thrown. This is a critical bug as a server can be rendered useless by attacker in few steps.
Maybe init the stat by method lazily so that this NPE can not fire.
pendula95
commented
2 years ago I was able to replicated but this (with your gist) will not affect the server, it won't get blocked.
kotcrab
commented
2 years ago It doesn't seem critical, the broken connection is your connection i.e. only the next sender request will hang. Though I'm not sure what happens to this connection later, maybe it can lead to resource exhaustion if you send a lot of such requests.
mochaman
commented
9 months ago I get this same stack trace in 4.5.1 whenever my site is scanned by CensysInspect. The cause appears different. Always happens after the following log entries: "GET / HTTP/1.1" 200 11143 "-" "-" "GET / HTTP/1.1" 200 11146 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"
tsegismont
commented
9 months ago Closed by #114
Version
4.2.5
Context
Sending a request with nonstandard HTTP method to a Vert.x app with Dropwizard metrics enabled always results in an NPE. It also seems to leave the connection in a broken state.
Do you have a reproducer?
Yes, see gist. Let me know if you need the entire project though this is just a basic project from the app generator with
vertx-webandvertx-dropwizard-metrics.Steps to reproduce
Server startedcurl -X FAKE http://localhost:8080you will see response and NPE.Extra
Tested on Linux and macOS. JVM 11.