Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-1354

Crowd does not protect itself against searchPrincipals without a predicate

    • Icon: Suggestion Suggestion
    • Resolution: Won't Fix
    • None
    • Database
    • None
    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      See https://extranet.atlassian.com/jira/browse/ADM-2735

      <?xml version="1.0"?>
      <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      	<soap:Body>
      		<ns1:searchPrincipals xmlns:ns1="urn:SecurityServer">
      			<ns1:in0>
      				<name xmlns="http://authentication.integration.crowd.atlassian.com">xxx</name>
      				<token xmlns="http://authentication.integration.crowd.atlassian.crowd">xxx</token>
      			</ns1:in0>
      			<ns1:in1/>
      		</ns1:searchPrincipals>
      	</soap:Body>
      </soap:Envelope>
      

      Causes crowd to return all principals, which consumes an potentially unlimited amount of heap, cpu and db resources.

            [CWD-1354] Crowd does not protect itself against searchPrincipals without a predicate

            shihab added a comment -

            We can't fix this until we can mandate database caching of LDAP servers - or only support LDAP servers that support sorted/indexable search results.

            Otherwise, we'll always be having to search for all users in the back-end anyway (for LDAP).

            shihab added a comment - We can't fix this until we can mandate database caching of LDAP servers - or only support LDAP servers that support sorted/indexable search results. Otherwise, we'll always be having to search for all users in the back-end anyway (for LDAP).

            How much memory do you have?

            Fortunately, JIRA will die before you get to 100k users, so it's not a practical problem just yet.

            David O'Flynn [Atlassian] added a comment - How much memory do you have? Fortunately, JIRA will die before you get to 100k users, so it's not a practical problem just yet.

            David Cheney (Inactive) added a comment - What would happen if this method was called with 225k users in the directory ? http://extranet.atlassian.com/display/INTSYS/JAC+and+SAC+migration+to+be+Crowdified?focusedCommentId=1646592856#comment-1646592856

            shihab added a comment -

            This is expected behaviour and required for applications that need to "findAllPrincipals", eg. JIRA.

            Requiring all principals at any one time is a bad idea as it inherently limits scalability of that particular application. We can't really do much except state that you shouldn't ask for all principals, but if you really really need them (eg. for legacy reasons), then you can execute an empty search.

            Perhaps we could require clients that need all users to execute multiple calls for principals in batches, however, I'm not convinced this will have a significant impact on the load.

            shihab added a comment - This is expected behaviour and required for applications that need to "findAllPrincipals", eg. JIRA. Requiring all principals at any one time is a bad idea as it inherently limits scalability of that particular application. We can't really do much except state that you shouldn't ask for all principals, but if you really really need them (eg. for legacy reasons), then you can execute an empty search. Perhaps we could require clients that need all users to execute multiple calls for principals in batches, however, I'm not convinced this will have a significant impact on the load.

              Unassigned Unassigned
              dcheney David Cheney (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: