fix(api): hide jetty internals in oversized request 413 response#6843
Merged
kuny0707 merged 1 commit intoJun 16, 2026
Merged
Conversation
The default Jetty ErrorHandler renders the 413 thrown by SizeLimitHandler into an HTML page exposing the full exception stack, Jetty version and the internal request size. Add a private OversizedRequestErrorHandler that logs the detail server-side and returns the short bad-message page for 413 only; other errors keep Jetty's default handling. Tests assert the 413 body renders the short bad-message page and leaks no Jetty stack/class/size, and that other 4xx (malformed Content-Length 400, oversized URI 414) stay on Jetty's default path.
0xbigapple
reviewed
Jun 16, 2026
0xbigapple
reviewed
Jun 16, 2026
halibobo1205
approved these changes
Jun 16, 2026
0xbigapple
approved these changes
Jun 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Installs a custom Jetty
ErrorHandler(privateOversizedRequestErrorHandlerinHttpService) so that for an oversized request — the413thrown bySizeLimitHandlerduring dispatch — the node logs the detail server-side and returns the short, uniform bad-message page. Previously the default Jetty error page exposed the full exception stack, the Jetty version and the internal request size in the413response body.The handler special-cases
413only; all other errors fall through tosuper(Jetty's default handling).Why are these changes required?
The
413response body leaked Jetty internals (CWE-209 information disclosure / server fingerprinting): exact Jetty version, internal class names and line numbers, thread-pool internals, the JDK build, and the rejected request size, e.g.:Only the
413path is affected, becauseSizeLimitHandlerthrows during dispatch (Server.handle) and is rendered viaErrorHandler.handle()->writeErrorPageStacks. Parser-stage errors (400/414/431) already render viabadMessageError()without a stack, so they are intentionally left untouched.This PR has been tested by:
SizeLimitHandlerTest#testHttpBodyExceedsLimit:413body renders the short bad-message page and leaks no Jetty stack / class / size.SizeLimitHandlerTest#testBadContentLengthReturnsDefault400,testOversizedUriReturnsDefault414: other 4xx stay on Jetty's default path (not rerouted through the413branch).curlwith an oversized body returns413with the short page; the response no longer contains the exception stack, class name or internal size.Follow up
Extra details
Jetty
9.4.58. The fix lives in the base classHttpService#initServer()so it applies to every HTTP service (FullNode HTTP, Solidity, PBFT, JSON-RPC). Thereasonreturned to the client is the genericHttpStatus.getMessage(413)("Payload Too Large"); the full detail (including the rejected size) is kept only in the server log.