server: allow to configure maxHeaderSize

- fix #3721
- fix #3724

Author: jknack

jooby/src/main/java/io/jooby/ServerOptions.java

@@ -106,6 +106,9 @@ public class ServerOptions {
    */
   private int maxRequestSize = _10MB;
 
+  /** The maximum size in bytes of a http request header. Default is <code>8kb</code> */
+  private int maxHeaderSize = _8KB;
+
   private String host = LOCAL_HOST;
 
   private SslOptions ssl;
@@ -447,6 +450,34 @@ public int getMaxRequestSize() {
     return this;
   }
 
+  /**
+   * The maximum size in bytes of an http request header. Exceeding the size generates a different
+   * response across server implementations.
+   *
+   * <ul>
+   *   <li>Jetty: generates a 431 error message
+   *   <li>Netty: the header is dropped/ignored, but don't fail
+   *   <li>Undertow: generates an empty 400 response, and the connection is closed.
+   * </ul>
+   *
+   * @return The maximum size in bytes of an http request header.
+   */
+  public int getMaxHeaderSize() {
+    return maxHeaderSize;
+  }
+
+  /**
+   * Set the maximum size in bytes of an http request header.
+   *
+   * @param maxHeaderSize The maximum size in bytes of an http request header. Default is <code>8kb
+   *     </code>.
+   * @return The maximum size in bytes of an http request header. Default is <code>8kb</code>.
+   */
+  public @NonNull ServerOptions setMaxHeaderSize(int maxHeaderSize) {
+    this.maxHeaderSize = maxHeaderSize;
+    return this;
+  }
+
   /**
    * Server host, defaults is <code>0.0.0.0</code>.
    *

modules/jooby-jetty/src/main/java/io/jooby/jetty/JettyServer.java

@@ -127,6 +127,7 @@ public io.jooby.Server start(@NonNull Jooby... application) {
       httpConf.setSendXPoweredBy(false);
       httpConf.setSendDateHeader(options.getDefaultHeaders());
       httpConf.setSendServerVersion(false);
+      httpConf.setRequestHeaderSize(options.getMaxHeaderSize());
 
       if (httpConfigurer != null) {
         httpConfigurer.accept(httpConf);

modules/jooby-netty/src/main/java/io/jooby/netty/NettyServer.java

@@ -6,7 +6,6 @@
 package io.jooby.netty;
 
 import static io.jooby.ServerOptions._4KB;
-import static io.jooby.ServerOptions._8KB;
 import static java.util.concurrent.Executors.newFixedThreadPool;
 
 import java.net.BindException;
@@ -204,7 +203,7 @@ private NettyPipeline newPipeline(
     var decoderConfig =
         new HttpDecoderConfig()
             .setMaxInitialLineLength(_4KB)
-            .setMaxHeaderSize(_8KB)
+            .setMaxHeaderSize(options.getMaxHeaderSize())
             .setMaxChunkSize(bufferSize)
             .setHeadersFactory(headersFactory)
             .setTrailersFactory(headersFactory);

modules/jooby-undertow/src/main/java/io/jooby/undertow/UndertowServer.java

@@ -122,6 +122,7 @@ public String getName() {
               /** Server: */
               // HTTP/1.1 is keep-alive by default, turn this option off
               .setServerOption(UndertowOptions.ALWAYS_SET_KEEP_ALIVE, false)
+              .setServerOption(UndertowOptions.MAX_HEADER_SIZE, options.getMaxHeaderSize())
               .setServerOption(UndertowOptions.ALLOW_EQUALS_IN_COOKIE_VALUE, true)
               .setServerOption(UndertowOptions.ALWAYS_SET_DATE, options.getDefaultHeaders())
               .setServerOption(UndertowOptions.RECORD_REQUEST_START_TIME, false)

tests/src/test/java/io/jooby/i3721/Issue3721.java

@@ -0,0 +1,68 @@
+/*
+ * Jooby https://jooby.io
+ * Apache License Version 2.0 https://jooby.io/LICENSE.txt
+ * Copyright 2014 Edgar Espina
+ */
+package io.jooby.i3721;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.util.Set;
+
+import io.jooby.ServerOptions;
+import io.jooby.junit.ServerTest;
+import io.jooby.junit.ServerTestRunner;
+
+public class Issue3721 {
+
+  @ServerTest
+  public void shouldAllowToSetMaxHeaderSize(ServerTestRunner runner) {
+    runner
+        .define(
+            app -> {
+              app.setServerOptions(new ServerOptions().setMaxHeaderSize(ServerOptions._16KB));
+              app.get(
+                  "/3721",
+                  ctx -> {
+                    return ctx.header("large").value();
+                  });
+            })
+        .ready(
+            http -> {
+              var large = ".".repeat(ServerOptions._8KB + ServerOptions._4KB);
+              http.header("large", large);
+              http.get(
+                  "/3721",
+                  rsp -> {
+                    var result = rsp.body().string();
+                    assertEquals(large, result);
+                    assertEquals(ServerOptions._8KB + ServerOptions._4KB, result.length());
+                  });
+            });
+  }
+
+  @ServerTest
+  public void shouldCheckErrorOnLargeHeaderSize(ServerTestRunner runner) {
+    runner
+        .define(
+            app -> {
+              app.setServerOptions(new ServerOptions().setMaxHeaderSize(ServerOptions._4KB));
+              app.get(
+                  "/3721",
+                  ctx -> {
+                    return ctx.header("large").value();
+                  });
+            })
+        .ready(
+            http -> {
+              var large = ".".repeat(ServerOptions._8KB);
+              http.header("large", large);
+              http.get(
+                  "/3721",
+                  rsp -> {
+                    assertTrue(Set.of(400, 431).contains(rsp.code()));
+                  });
+            });
+  }
+}