Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NPE when nonstandard HTTP method is used in request and broken connection #107

Closed
kotcrab opened this issue Feb 21, 2022 · 5 comments · Fixed by #114
Closed

NPE when nonstandard HTTP method is used in request and broken connection #107

kotcrab opened this issue Feb 21, 2022 · 5 comments · Fixed by #114
Assignees
@tsegismont
Labels
bug
Milestone
4.5.2

Comments

@kotcrab
Copy link

kotcrab commented Feb 21, 2022
edited
Loading

Version

4.2.5

Context

Sending a request with nonstandard HTTP method to a Vert.x app with Dropwizard metrics enabled always results in an NPE. It also seems to leave the connection in a broken state.

Do you have a reproducer?

Yes, see gist. Let me know if you need the entire project though this is just a basic project from the app generator with vertx-web and vertx-dropwizard-metrics.

Steps to reproduce

  1. Run app, you should see Server started
  2. Run command curl -X FAKE http://localhost:8080 you will see response and NPE.
SEVERE: Unhandled exception in router
java.lang.NullPointerException
	at io.vertx.ext.dropwizard.impl.HttpMetricsImpl.end(HttpMetricsImpl.java:102)
	at io.vertx.ext.dropwizard.impl.HttpServerMetricsImpl.responseEnd(HttpServerMetricsImpl.java:60)
        ...
  1. This seems to leave the connection in a broken state. If you try to send any subsequent request using the same connection it will hang indefinitely.
curl -X FAKE --max-time 10 http://localhost:8080 http://localhost:8080
Hello World from Vert.x-Web!
curl: (28) Operation timed out after 10001 milliseconds with 0 bytes received

Extra

Tested on Linux and macOS. JVM 11.
@kotcrab kotcrab added the bug label Feb 21, 2022
@pendula95
Copy link
Member

This is because list of supported methods is loaded here

vertx-dropwizard-metrics/src/main/java/io/vertx/ext/dropwizard/impl/HttpMetricsImpl.java

Line 54 in 4ea6d3f

methodRequests.put(method, throughputTimer(method.toString().toLowerCase() + "-requests"));

As this is not initiated NPE is thrown. This is a critical bug as a server can be rendered useless by attacker in few steps.

Maybe init the stat by method lazily so that this NPE can not fire.

@pendula95
Copy link
Member

pendula95 commented Feb 21, 2022
edited
Loading

I was able to replicated but this (with your gist) will not affect the server, it won't get blocked.

@kotcrab
Copy link
Author

kotcrab commented Feb 21, 2022
edited
Loading

It doesn't seem critical, the broken connection is your connection i.e. only the next sender request will hang. Though I'm not sure what happens to this connection later, maybe it can lead to resource exhaustion if you send a lot of such requests.

@pendula95 pendula95 mentioned this issue Mar 3, 2022
Closed
@mochaman
Copy link

I get this same stack trace in 4.5.1 whenever my site is scanned by CensysInspect. The cause appears different. Always happens after the following log entries:
"GET / HTTP/1.1" 200 11143 "-" "-"
"GET / HTTP/1.1" 200 11146 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"

tsegismont added a commit to tsegismont/vertx-dropwizard-metrics that referenced this issue Jan 19, 2024
@tsegismont
NPE when nonstandard HTTP method is used
ed7183d 
Fixes vert-x3#107

If the HTTP method is not standard, skip specific method / uri request metrics.

Signed-off-by: Thomas Segismont <tsegismo@redhat.com>
@tsegismont tsegismont mentioned this issue Jan 19, 2024
Closed
@tsegismont tsegismont self-assigned this Jan 19, 2024
@tsegismont tsegismont added this to the 4.5.2 milestone Jan 19, 2024
tsegismont added a commit to tsegismont/vertx-dropwizard-metrics that referenced this issue Jan 19, 2024
@tsegismont
NPE when nonstandard HTTP method is used
dada3e7 
See vert-x3#107

If the HTTP method is not standard, skip specific method / uri request metrics.

Signed-off-by: Thomas Segismont <tsegismo@redhat.com>
@tsegismont tsegismont mentioned this issue Jan 19, 2024
Merged
tsegismont added a commit to tsegismont/vertx-dropwizard-metrics that referenced this issue Jan 19, 2024
@tsegismont
NPE when nonstandard HTTP method is used
bb0982f 
Fixes vert-x3#107

If the HTTP method is not standard, skip specific method / uri request metrics.

Signed-off-by: Thomas Segismont <tsegismo@redhat.com>
@tsegismont tsegismont mentioned this issue Jan 19, 2024
Merged
@tsegismont tsegismont linked a pull request Jan 19, 2024 that will close this issue
NPE when nonstandard HTTP method is used #114
Merged
tsegismont added a commit that referenced this issue Jan 20, 2024
@tsegismont
NPE when nonstandard HTTP method is used (#113)
4b7d76b 
See #107

If the HTTP method is not standard, skip specific method / uri request metrics.

Signed-off-by: Thomas Segismont <tsegismo@redhat.com>
tsegismont added a commit that referenced this issue Jan 20, 2024
@tsegismont
NPE when nonstandard HTTP method is used (#114)
0a7be7e 
Fixes #107

If the HTTP method is not standard, skip specific method / uri request metrics.

Signed-off-by: Thomas Segismont <tsegismo@redhat.com>
@tsegismont
Copy link
Contributor

Closed by #114

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tsegismont tsegismont

Labels
bug
Milestone
4.5.2
4 participants
@pendula95 @tsegismont @mochaman @kotcrab