| 1 min | Cumulative upload problem | Team | - Regarding file upload size issues (See
 FOLIO-3317 - Spike - investigate possible file upload vulnerability OPEN ), let's brainstorm ideas for mitigating the cumulative upload problem, not just the large file upload size problem. - Some APIs are more vulnerable to this than others, such as those not protected by permissions - e.g. mod-login, edge APIs, etc.
- Axel provided some background/context. We still need to give this some thought and possibly suggest a solution
- Use case 1: Some script unintentionally sends endless data to some API. This is caught by a maximum upload size.
- Use case 2: Denial of service. Difficult to address in Okapi. Might be better handled in other tools like nginx or firewalls that can limit requests. Unlikely that a denial of service attack has a valid login / access token.
- TODO: For use case 2: Only add documentation that implementers should use an external firewall (or external nginx) to limit requests.
- Some investigation is required, let's capture this in a spike (JIRA).
- Axel Dörrer to help define this. – Started, not finished yet.
- We can review together and find someone to work on this... maybe have a champion on this team work with someone in the Sys-ops SIG/community.
- Created
FOLIO-3615
-
Getting issue details...
STATUS
Chris Rutledge and Axel Dörrer to look at it and ask sysops folks to chime in
- Let's create a wiki page to capture ideas/feedback - Axel Dörrer → done
- Raised at the SysOps meeting
- A small working group was formed, but has not yet met.
- Group is meeting on Fridays... See link above for meeting notes, etc.
- Will be creating a test env. to aid in the investigation
- A similar issue was discovered in folio-vertx-lib... linked the issue to FOLIO_3317
- Wrapping up definition of test cases.
- essentially on pause until next year.
Today: - No progress yet. Will meet tomorrow
|