activemq icon indicating copy to clipboard operation
activemq copied to clipboard
verified publisher icon apache

[AMQ-9519] Remove runtime usage of commons-io

Open mattrpav opened this issue 1 year ago • 1 comments

This impacts the messages REST API only when body parameter is not used.

ref: https://activemq.apache.org/components/classic/documentation/rest

Test using:

  1. Set TMP_BODY variable to 100,001 bytes
% curl -u admin:admin -d "$TMP_BODY" -H "Content-Type: text/plain" "http://localhost:8161/api/message/TEST?type=queue"

Expected response:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 500 java.io.IOException: Message body exceeds max allowed size</title>
</head>
<body><h2>HTTP ERROR 500 java.io.IOException: Message body exceeds max allowed size</h2>
<table>
<tr><th>URI:</th><td>/api/message/TEST</td></tr>
<tr><th>STATUS:</th><td>500</td></tr>
<tr><th>MESSAGE:</th><td>java.io.IOException: Message body exceeds max allowed size</td></tr>
<tr><th>SERVLET:</th><td>MessageServlet</td></tr>
<tr><th>CAUSED BY:</th><td>java.io.IOException: Message body exceeds max allowed size</td></tr>
</table>
<h3>Caused by:</h3><pre>java.io.IOException: Message body exceeds max allowed size
	at org.apache.activemq.web.MessageServletSupport.getPostedMessageBody(MessageServletSupport.java:388)
	at org.apache.activemq.web.MessageServlet.doPost(MessageServlet.java:119)
	at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:520)
	at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:587)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:529)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:558)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1580)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1381)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1553)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1303)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:141)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:558)
	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:141)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	at org.eclipse.jetty.server.Server.handle(Server.java:563)
	at org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1598)
	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:287)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
	at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
	at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:421)
	at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:390)
	at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:277)
	at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.produce(AdaptiveExecutionStrategy.java:193)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
	at java.base/java.lang.Thread.run(Thread.java:842)
</pre>

</body>
</html>

mattrpav avatar Jul 09 '24 00:07 mattrpav

@mattrpav I consider like a behavior change as we don't check the stream length anymore. It's potentially a security/performance issue: we introduced stream limit to avoid to flood the REST client with long message. I would rather keep the same behavior, but replace common-io with our own method to define the stream length.

jbonofre avatar Jul 10 '24 07:07 jbonofre

If we want to remove commons-io, we need to provide a private method to compute stream length as this behavior should stay.

done

mattrpav avatar Dec 13 '24 20:12 mattrpav