Add option for setting max query params

Relates to: quarkusio/quarkus#47431

Author: geoand

vertx-core/src/main/generated/io/vertx/core/http/HttpServerOptionsConverter.java

@@ -87,6 +87,11 @@ static void fromJson(Iterable<java.util.Map.Entry<String, Object>> json, HttpSer
             obj.setMaxFormBufferedBytes(((Number)member.getValue()).intValue());
           }
           break;
+        case "maxQueryParams":
+          if (member.getValue() instanceof Number) {
+            obj.setMaxQueryParams(((Number)member.getValue()).intValue());
+          }
+          break;
         case "initialSettings":
           if (member.getValue() instanceof JsonObject) {
             obj.setInitialSettings(new io.vertx.core.http.Http2Settings((io.vertx.core.json.JsonObject)member.getValue()));
@@ -214,6 +219,7 @@ static void toJson(HttpServerOptions obj, java.util.Map<String, Object> json) {
     json.put("maxFormAttributeSize", obj.getMaxFormAttributeSize());
     json.put("maxFormFields", obj.getMaxFormFields());
     json.put("maxFormBufferedBytes", obj.getMaxFormBufferedBytes());
+    json.put("maxQueryParams", obj.getMaxQueryParams());
     if (obj.getInitialSettings() != null) {
       json.put("initialSettings", obj.getInitialSettings().toJson());
     }

vertx-core/src/main/java/io/vertx/core/http/HttpServerOptions.java

@@ -104,6 +104,11 @@ public class HttpServerOptions extends NetServerOptions {
    */
   public static final int DEFAULT_MAX_FORM_BUFFERED_SIZE = 1024;
 
+  /**
+   * Default max number of query params = 1024
+   */
+  public static final int DEFAULT_MAX_QUERY_PARAMS = 1024;
+
   /**
    * Default value of whether 100-Continue should be handled automatically = {@code false}
    */
@@ -222,6 +227,7 @@ public class HttpServerOptions extends NetServerOptions {
   private int maxFormAttributeSize;
   private int maxFormFields;
   private int maxFormBufferedBytes;
+  private int maxQueryParams;
   private Http2Settings initialSettings;
   private boolean http2ClearTextEnabled;
   private int http2ConnectionWindowSize;
@@ -271,6 +277,7 @@ public HttpServerOptions(HttpServerOptions other) {
     this.maxFormAttributeSize = other.getMaxFormAttributeSize();
     this.maxFormFields = other.getMaxFormFields();
     this.maxFormBufferedBytes = other.getMaxFormBufferedBytes();
+    this.maxQueryParams = other.getMaxQueryParams();
     this.initialSettings = other.initialSettings != null ? new Http2Settings(other.initialSettings) : null;
     this.http2ClearTextEnabled = other.http2ClearTextEnabled;
     this.http2ConnectionWindowSize = other.http2ConnectionWindowSize;
@@ -328,6 +335,7 @@ private void init() {
     maxFormAttributeSize = DEFAULT_MAX_FORM_ATTRIBUTE_SIZE;
     maxFormFields = DEFAULT_MAX_FORM_FIELDS;
     maxFormBufferedBytes = DEFAULT_MAX_FORM_BUFFERED_SIZE;
+    maxQueryParams = DEFAULT_MAX_QUERY_PARAMS;
     initialSettings = new Http2Settings().setMaxConcurrentStreams(DEFAULT_INITIAL_SETTINGS_MAX_CONCURRENT_STREAMS);
     http2ClearTextEnabled = DEFAULT_HTTP2_CLEAR_TEXT_ENABLED;
     http2ConnectionWindowSize = DEFAULT_HTTP2_CONNECTION_WINDOW_SIZE;
@@ -887,6 +895,24 @@ public HttpServerOptions setMaxFormBufferedBytes(int maxFormBufferedBytes) {
     return this;
   }
 
+  /**
+   * @return Returns the maximum number of query params
+   */
+  public int getMaxQueryParams() {
+    return maxQueryParams;
+  }
+
+  /**
+   * Set the maximum number of query params
+   *
+   * @param maxQueryParams the new maximum
+   * @return a reference to this, so the API can be used fluently
+   */
+  public HttpServerOptions setMaxQueryParams(int maxQueryParams) {
+    this.maxQueryParams = maxQueryParams;
+    return this;
+  }
+
   /**
    * @return the initial HTTP/2 connection settings
    */

vertx-core/src/main/java/io/vertx/core/http/impl/HttpServerConnectionHandler.java

@@ -103,7 +103,7 @@ public void handle(HttpServerConnection conn) {
         HttpServerOptions options = server.options;
         HttpServerRequestImpl request = new HttpServerRequestImpl(requestHandler, stream, stream.context(),
           options.isHandle100ContinueAutomatically(), options.getMaxFormAttributeSize(), options.getMaxFormFields(),
-          options.getMaxFormBufferedBytes(), serverOrigin);
+          options.getMaxFormBufferedBytes(), options.getMaxQueryParams(), serverOrigin);
         request.init();
       });
     }

vertx-core/src/main/java/io/vertx/core/http/impl/HttpServerRequestImpl.java

@@ -52,6 +52,7 @@ public class HttpServerRequestImpl extends HttpServerRequestInternal {
   private final int maxFormAttributeSize;
   private final int maxFormFields;
   private final int maxFormBufferedBytes;
+  private final int maxQueryParams;
   private final Handler<HttpServerRequest> handler;
 
   // Accessed on context thread
@@ -79,6 +80,7 @@ public HttpServerRequestImpl(Handler<HttpServerRequest> handler,
                                int maxFormAttributeSize,
                                int maxFormFields,
                                int maxFormBufferedBytes,
+                               int maxQueryParams,
                                String serverOrigin) {
     this.handler = handler;
     this.context = context;
@@ -89,6 +91,7 @@ public HttpServerRequestImpl(Handler<HttpServerRequest> handler,
     this.handle100ContinueAutomatically = handle100ContinueAutomatically;
     this.maxFormAttributeSize = maxFormAttributeSize;
     this.maxFormFields = maxFormFields;
+    this.maxQueryParams = maxQueryParams;
     this.maxFormBufferedBytes = maxFormBufferedBytes;
   }
 
@@ -397,7 +400,7 @@ public String getParamsCharset() {
   public MultiMap params(boolean semicolonIsNormalChar) {
     synchronized (connection) {
       if (params == null || semicolonIsNormalChar != semicolonIsNormalCharInParams) {
-        params = HttpUtils.params(uri(), paramsCharset, semicolonIsNormalChar);
+        params = HttpUtils.params(uri(), paramsCharset, maxQueryParams, semicolonIsNormalChar);
         semicolonIsNormalCharInParams = semicolonIsNormalChar;
       }
       return params;

vertx-core/src/main/java/io/vertx/core/http/impl/HttpUtils.java

@@ -343,7 +343,11 @@ public static String absoluteURI(String serverOrigin, HttpServerRequest req) {
   }
 
   public static MultiMap params(String uri, Charset charset, boolean semicolonIsNormalChar) {
-    QueryStringDecoder queryStringDecoder = new QueryStringDecoder(uri, charset, true, 1024, semicolonIsNormalChar);
+    return params(uri, charset, 1024, semicolonIsNormalChar);
+  }
+
+  public static MultiMap params(String uri, Charset charset, int maxParams, boolean semicolonIsNormalChar) {
+    QueryStringDecoder queryStringDecoder = new QueryStringDecoder(uri, charset, true, maxParams, semicolonIsNormalChar);
     Map<String, List<String>> prms = queryStringDecoder.parameters();
     MultiMap params = MultiMap.caseInsensitiveMultiMap();
     if (!prms.isEmpty()) {

vertx-core/src/main/java/io/vertx/core/http/impl/http1x/Http1xServerRequest.java

@@ -337,7 +337,7 @@ public String getParamsCharset() {
   @Override
   public MultiMap params(boolean semicolonIsNormalChar) {
     if (params == null || semicolonIsNormalChar != semicolonIsNormalCharInParams) {
-      params = HttpUtils.params(uri(), paramsCharset, semicolonIsNormalChar);
+      params = HttpUtils.params(uri(), paramsCharset, this.conn.options.getMaxQueryParams(), semicolonIsNormalChar);
       semicolonIsNormalCharInParams = semicolonIsNormalChar;
     }
     return params;

vertx-core/src/test/java/io/vertx/tests/http/Http1xTest.java

@@ -52,7 +52,6 @@
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.*;
-import java.util.stream.Collector;
 import java.util.stream.Collectors;
 import java.util.stream.IntStream;
 import java.util.stream.Stream;
@@ -411,6 +410,9 @@ public void testServerOptions() {
     assertEquals(256, options.getDecoderInitialBufferSize());
     assertIllegalArgumentException(() -> options.setDecoderInitialBufferSize(-1));
 
+    assertEquals(HttpServerOptions.DEFAULT_MAX_QUERY_PARAMS, options.getMaxQueryParams());
+    assertEquals(options, options.setMaxQueryParams(1025));
+    assertEquals(1025, options.getMaxQueryParams());
   }
 
   @Test
@@ -772,6 +774,7 @@ public void testCopyServerOptions() {
     boolean decompressionSupported = rand.nextBoolean();
     boolean acceptUnmaskedFrames = rand.nextBoolean();
     int decoderInitialBufferSize = TestUtils.randomPositiveInt();
+    int maxQueryParams = TestUtils.randomPositiveInt();
 
     options.setSendBufferSize(sendBufferSize);
     options.setReceiveBufferSize(receiverBufferSize);
@@ -803,6 +806,7 @@ public void testCopyServerOptions() {
     options.setDecompressionSupported(decompressionSupported);
     options.setAcceptUnmaskedFrames(acceptUnmaskedFrames);
     options.setDecoderInitialBufferSize(decoderInitialBufferSize);
+    options.setMaxQueryParams(maxQueryParams);
 
     HttpServerOptions copy = new HttpServerOptions(options);
     checkCopyHttpServerOptions(options, copy);
@@ -906,6 +910,7 @@ public void testServerOptionsJson() {
     boolean decompressionSupported = TestUtils.randomBoolean();
     boolean acceptUnmaskedFrames = TestUtils.randomBoolean();
     int decoderInitialBufferSize = TestUtils.randomPositiveInt();
+    int maxQueryParams = TestUtils.randomPositiveInt();
 
     JsonObject json = new JsonObject();
     json.put("sendBufferSize", sendBufferSize)
@@ -946,7 +951,8 @@ public void testServerOptionsJson() {
       .put("openSslSessionCacheEnabled", openSslSessionCacheEnabled)
       .put("decompressionSupported", decompressionSupported)
       .put("acceptUnmaskedFrames", acceptUnmaskedFrames)
-      .put("decoderInitialBufferSize", decoderInitialBufferSize);
+      .put("decoderInitialBufferSize", decoderInitialBufferSize)
+      .put("maxQueryParams", maxQueryParams);
 
     HttpServerOptions options = new HttpServerOptions(json);
     assertEquals(sendBufferSize, options.getSendBufferSize());
@@ -996,6 +1002,7 @@ public void testServerOptionsJson() {
     assertEquals(decompressionSupported, options.isDecompressionSupported());
     assertEquals(acceptUnmaskedFrames, options.isAcceptUnmaskedFrames());
     assertEquals(decoderInitialBufferSize, options.getDecoderInitialBufferSize());
+    assertEquals(maxQueryParams, options.getMaxQueryParams());
 
     // Test other keystore/truststore types
     json.remove("keyStoreOptions");

vertx-core/src/test/java/io/vertx/tests/http/HttpTest.java

@@ -2346,6 +2346,48 @@ public void test1xxRemovesTransferEncodingHeader() throws Exception {
     assertNull(respHeaders.get("transfer-encoding"));
   }
 
+  @Test
+  public void testMaxQueryParams() {
+    testMaxQueryParams(HttpServerOptions.DEFAULT_MAX_QUERY_PARAMS);
+  }
+
+  @Test
+  public void testMaxQueryParamsOption() {
+    testMaxQueryParams(HttpServerOptions.DEFAULT_MAX_QUERY_PARAMS * 2);
+  }
+
+  private void testMaxQueryParams(Integer maxQueryParams) {
+    MultiMap params = TestUtils.randomMultiMap(HttpServerOptions.DEFAULT_MAX_QUERY_PARAMS + 10);
+    String query = generateQueryString(params, ';');
+
+    vertx.createHttpServer(new HttpServerOptions().setMaxQueryParams(maxQueryParams).setMaxInitialLineLength(Integer.MAX_VALUE))
+      .requestHandler(req -> {
+        assertEquals(query, req.query());
+        if (maxQueryParams > HttpServerOptions.DEFAULT_MAX_QUERY_PARAMS) {
+          assertEquals(params.size(), req.params().size());
+        } else {
+          assertEquals(HttpServerOptions.DEFAULT_MAX_QUERY_PARAMS, req.params().size());
+          req.response().setStatusCode(414);
+        }
+        req.response().end();
+      }).listen(testAddress).onComplete(onSuccess(res -> {
+        client.close();
+        client = vertx.createHttpClient(new HttpClientOptions());
+        client
+          .request(new RequestOptions(requestOptions).setURI("some-uri/?" + query))
+          .compose(req -> req.send().compose(resp -> {
+            if (maxQueryParams > HttpServerOptions.DEFAULT_MAX_QUERY_PARAMS) {
+              assertEquals(200, resp.statusCode());
+            } else {
+              assertEquals(414, resp.statusCode());
+            }
+            return resp.end();
+          }))
+          .onComplete(onSuccess(v -> testComplete()));
+      }));
+    await();
+  }
+
   protected MultiMap checkEmptyHttpResponse(HttpMethod method, int sc, MultiMap reqHeaders) throws Exception {
     server.requestHandler(req -> {
       HttpServerResponse resp = req.response();