DDoS Spring 5 RouterFunction apps [SPR-15560]

[spring-projects-issues]

Maksim Kostromin opened SPR-15560 and commented

to reproduce bug, run this service

in a console send curl request:
curl localhost:3000//

or use httpie:
http :3000//

terminal should hangs and fails after timeout
http: error: Request timed out (30s).

I didn't investigate if connections will be opened while all such requests will waiting for theirs timeouts. If so, attackers can easily DDoS these kind of spring 5 apps by sending 65k requests for 30 seconds

posible fix
previous discussion
parent issue

---

Affects: 5.0 RC1

Reference URL: https://github.com/daggerok/functional-spring/blob/master/reactive-service/src/main/java/daggerok/ReactiveServiceApplication.java

Issue Links:

• WebFlux handles requests with an illegal Host header inconsistently [SPR-16778] #21318 WebFlux handles requests with an illegal Host header inconsistently
• Replace many following slashes of client URI with single slash. [SPR-15529] #20088 Replace many following slashes of client URI with single slash. ("supersedes")

Referenced from: commits 11075f1

[spring-projects-issues]

Rossen Stoyanchev commented

Much appreciated, thanks!

[spring-projects-issues]

Rossen Stoyanchev commented

Turns out java.net.URI does not mind multiple slashes after all and I misread the spec where "segment" is defined as any number of chars. So http://localhost:3000// is okay but it fails on Netty because we parse the path ("//") independently as a URI and it's rejected because it looks like invalid schema. By contrast http://localhost:3000/foo// works fine.

In addition Reactor Netty does not handle error signals as 500 errors well and hangs instead. I've created a ticket for that but meanwhile also improved the way the URI is parsed so we don't run into this issue and also tightened UriSyntaxException handling so it would be treated as a 400 error if it did occur.

[spring-projects-issues]

Maksim Kostromin commented

thanks