Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-18919

requests to webapp context root HTML index page leak InputStream

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.4, 2.14.11
    • Fix Version/s: 2.14.12
    • Component/s: UI

      Description

      Problem

      AbstractUiContributionBuilder.detetctVersion() loads a plugin jar pom.properties file to extract the plugin version. The input stream to read the properties file is never closed, leading to a resource leak. If repository manager runs long enough, and receives enough requests at the webapp context root, then the leak may lead to NXRM instability - in the case of linux, the Linux OOM killer may detect the leak and terminate the NXRM process.

      Diagnosis

      Requests to the webapp context root ( ie. /nexus/ ) trigger loading of the initial HTML index page of the repository manager UI. Each NXRM plugin that has a UI contribution to make may leverage org.sonatype.nexus.plugins.ui.contribution.UiContributionBuilder which in turn extends org.sonatype.nexus.plugins.ui.contribution.AbstractUiContributionBuilder . Plugin UI resources (CSS/JS files ) are loaded using URLs with ?v=pluginversion parameter appended to their URLs. AbstractUiContributionBuilder.detectVersion() is called for these resources to determine the plugin version to fill in the value of this URL parameter, known as a cache buster. The version value is not cached - instead it is loaded from a properties file at path String.format("/META-INF/maven/%s/%s/pom.properties", groupId, artifactId); using an InputStream. For each request to the webapp context root ( default /nexus/ ), the input stream is opened but never closed properly, once per installed NXRM plugin jar.

      It may take hundreds of thousands of requests to the webapp context root for the problem to actually manifest in a production environment. There is no valid use case for this many requests in a short time period. Individual user UI page loads this frequently is not typical. If the webapp context root was being used improperly to detect if the server is alive, it may lead to a noticeable problem sooner. Such "ping" requests should be directed to /internal/ping instead.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Peter Lynch Peter Lynch
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                tigCommentSecurity.panel-title