SWC-6754 - Do not cache version check #5614
Conversation
- Also add log to report instances where the servlet is not configured with a repo endpoint
|
|
||
| logger.warning( | ||
| "No configuration found for " + | ||
| REPO_ENDPOINT_KEY + | ||
| ", so servlet request will defer to the host header. Host: " + | ||
| host + | ||
| ", endpointPrefix: " + | ||
| endpointPrefix | ||
| ); |
There was a problem hiding this comment.
IMO the main problem is that our servlet may use the request header to pick a backend endpoint instead of a configuration parameter, if the configuration parameter is not present. The servlet may cache a response that depends on a header that could vary (or be spoofed!) by different users.
WDYT about opening a follow-up ticket to make the org.sagebionetworks.repositoryservice.endpoint (REPO_ENDPOINT_KEY) required?
There was a problem hiding this comment.
Follow-up ticket to make this mandatory seems reasonable
| @@ -35,11 +31,14 @@ public class VersionsServlet extends HttpServlet { | |||
| VersionsServlet.perThreadRequest.get() | |||
| ); | |||
|
|
|||
| private final Supplier<SynapseVersionInfo> synapseVersionCache = | |||
| Suppliers.memoizeWithExpiration(versionSupplier(), 5, TimeUnit.MINUTES); | |||
There was a problem hiding this comment.
I think this was added because John identified the web client as performing a DOS attack with version checks. Would expiring this cache every 10 seconds be sufficient?
SWC-6754