Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-29483

URL validation failed for REST call to the keyboard shortcut plugin

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Tracked Elsewhere
    • Icon: Medium Medium
    • None
    • None
    • None
    • None

      NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

      When launching the following command to fire a REST call to keyboard shortcut plugin, it return an Internal server error due the validation failure: 

      [root@test ~]# curl -I -X GET "https://confluence.atlassian.com/rest/prototype/1/i18n?locale=%3Cscript%20src%3Dhttp%3A%2F%2Flocalhost%2Fj%20&pluginKeys=com.atlassian.confluence.keyboardshortcuts&pluginKeys=com.atlassian.plugins.editor"
HTTP/1.1 500 Internal Server Error
Date: Tue, 28 May 2013 07:45:22 GMT
Server: Apache-Coyote/1.1
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html; charset=UTF-8
Set-Cookie: JSESSIONID=170C9ADB0247492D66B79F72E1B34A23; Path=/; HttpOnly
Vary: Accept-Encoding
Connection: close
Transfer-Encoding: chunked

            [CONFSERVER-29483] URL validation failed for REST call to the keyboard shortcut plugin

            Kevin Hughes added a comment -

            To better understand this I attacked our own dev server. I hit it at a rate of ~400 bad urls per second using curl. The attacket server certainly survived however the CPU utilisation maintained ~195% during the attack - I suspect this limited the atack rate. Confluence looped through the Attlasian logs in short order - all were filled with this error. During the attack the server was usable (by me) but was clearly slow and if there was any real user demand I do not believe the behaviour would be acceptable.

            I comapred this to hitting the server with a simple request for non existant page (returning 404). This was handled with much less resource and the server continued to provide a servce.

            Overall its is arguable whether the non-existant page "attack" or the "internal server" error impacted the server the most.

            Kevin Hughes added a comment - To better understand this I attacked our own dev server. I hit it at a rate of ~400 bad urls per second using curl. The attacket server certainly survived however the CPU utilisation maintained ~195% during the attack - I suspect this limited the atack rate. Confluence looped through the Attlasian logs in short order - all were filled with this error. During the attack the server was usable (by me) but was clearly slow and if there was any real user demand I do not believe the behaviour would be acceptable. I comapred this to hitting the server with a simple request for non existant page (returning 404). This was handled with much less resource and the server continued to provide a servce. Overall its is arguable whether the non-existant page "attack" or the "internal server" error impacted the server the most.

            VitalyA added a comment -

            See comments on CONF-29473 why this is not a security issue.

            VitalyA added a comment - See comments on CONF-29473 why this is not a security issue.

            Renan Battaglin added a comment -

            Hi All,

            I've copied the ticket to the Keyboard Plugin Project at https://ecosystem.atlassian.net/browse/AKS-19. Lets keep tracking the problem there.

            Regards,
            Renan

            Renan Battaglin added a comment - Hi All, I've copied the ticket to the Keyboard Plugin Project at https://ecosystem.atlassian.net/browse/AKS-19 . Lets keep tracking the problem there. Regards, Renan

            Kevin Hughes added a comment -

            I am not convinced this is minor in that there is an internal error generated which clearly takes resource to process and hence may be a DoS vector.

            Kevin Hughes added a comment - I am not convinced this is minor in that there is an internal error generated which clearly takes resource to process and hence may be a DoS vector.

              Unassigned Unassigned
              yilinmo Yilin (Inactive)
              Affected customers:
              1 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: