Sonarqube issue with long url length and firewall

230 views
Skip to first unread message

xbr...@gmail.com

unread,
May 15, 2017, 7:41:33 AM5/15/17
to SonarQube
Hello everyone,

We have started recently to adopt Sonarqube, and I would like to report an issue we are experiencing with the latest stable release of Sonarqube 6.3.1 and the web application firewall.

I did a vanilla installation of Sonarqube and the "General Settings" page under "Administration" displayed values for the different fields.

We installed some plugins and the page does not load any values because the request is blocked by the firewall due to a policy that limits the URL length.

I have pasted below the request blocked by the firewall which has 3132 characters.

https://sonarqube.test.company.com/api/settings/values?keys=sonar.spcaf.aspx.file.suffixes%2Csonar.issue.ignore.multicriteria%2Csonar.cs.ignoreHeaderComments%2Csonar.global.test.exclusions%2Csonar.less.file.suffixes%2Csonar.lf.aboutText%2Csonar.javascript.jQueryObjectAliases%2Csonar.python.xunit.skipDetails%2Csonar.cpd.exclusions%2Csonar.issue.ignore.allfile%2Csonar.javascript.lcov.reportPath%2Csonar.forceAuthentication%2Csonar.javascript.lcov.reportPaths%2Csonar.preview.includePlugins%2Csonar.lf.logoUrl%2Csonar.php.coverage.reportPaths%2Csonar.scss.file.suffixes%2Cemail.smtp_port.secured%2Csonar.python.xunit.reportPath%2Csonar.web.file.suffixes%2Csonar.import_unknown_files%2Csonar.javascript.globals%2Csonar.dbcleaner.hoursBeforeKeepingOnlyOneSnapshotByDay%2Csonar.css.file.suffixes%2Cemail.smtp_host.secured%2Csonar.javascript.lcov.itReportPath%2Csonar.dbcleaner.cleanDirectory%2Csonar.python.pylint%2Csonar.jacoco.reportPaths%2Csonar.cpd.cross_project%2Cemail.from%2Csonar.webhooks.global%2Csonar.php.coverage.reportPath%2Csonar.dbcleaner.weeksBeforeKeepingOnlyOneSnapshotByWeek%2Csonar.leak.period%2Csonar.python.pylint_config%2Cemail.prefix%2Csonar.issue.ignore.block%2Csonar.python.coverage.itReportPath%2Csonar.python.coverage.overallReportPath%2Csonar.test.inclusions%2Csonar.checkstyle.filters%2Csonar.lf.logoWidthPx%2Csonar.javascript.ignoreHeaderComments%2Csonar.dbcleaner.daysBeforeDeletingClosedIssues%2Csonar.dbcleaner.weeksBeforeKeepingOnlyOneSnapshotByMonth%2Csonar.lf.gravatarServerUrl%2Csonar.findbugs.effort%2Csonar.core.serverBaseURL%2ClanguageSpecificParameters%2Csonar.coverage.exclusions%2Csonar.test.exclusions%2Cemail.smtp_secure_connection.secured%2Csonar.python.pylint.reportPath%2Csonar.findbugs.confidenceLevel%2Csonar.links.ci%2Csonar.defaultGroup%2Csonar.javascript.environments%2Csonar.scm.disabled%2Csonar.python.coverage.reportPath%2Csonar.web.fileExtensions%2Csonar.cs.msbuild.testProjectPattern%2Csonar.stash.issue.threshold%2Csonar.findbugs.excludesFilters%2Csonar.css.embedded.file.suffixes%2Csonar.php.coverage.overallReportPath%2Csonar.stash.reviewer.approval%2Csonar.exclusions%2Csonar.global.exclusions%2Csonar.spcaf.powershell.file.suffixes%2Csonar.technicalDebt.ratingGrid%2Csonar.php.coverage.itReportPath%2Csonar.inclusions%2Csonar.technicalDebt.developmentCost%2Csonar.lf.enableGravatar%2Csonar.spcaf.xml.file.suffixes%2Csonar.preview.excludePlugins%2Csonar.python.file.suffixes%2Csonar.junit.reportsPath%2Csonar.python.coverage.forceZeroCoverage%2Csonar.cs.file.suffixes%2Csonar.issues.defaultAssigneeLogin%2Csonar.javascript.file.suffixes%2Csonar.stash.task.issue.severity.threshold%2Cemail.smtp_password.secured%2Csonar.stash.login%2Csonar.java.file.suffixes%2Csonar.php.file.suffixes%2Csonar.stash.timeout%2Csonar.dbcleaner.weeksBeforeDeletingAllSnapshots%2Csonar.links.scm%2Cemail.smtp_username.secured%2Csonar.issue.enforce.multicriteria%2Csonar.stash.url%2Csonar.php.tests.reportPath%2Csonar.findbugs.timeout


It seems to me the configuration panel tries to load every value for each plugin. Would it be possible to change the behaviour to load only what it is selected or pass all these values in another form?


Thank you very much for your attention and nice work ! :-)

Kind Regards,
Brian

Julien Lancelot

unread,
May 15, 2017, 8:40:18 AM5/15/17
to xbr...@gmail.com, SonarQube
Hi Brian,

Unfortunately it's not possible to change the current behavior.

Would it be possible for you to increase the number of allowed characters used by SonarQube in the firewall ?

Regads,

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/bf6b963d-64b4-43fc-87d7-e2d53b5b26f5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Julien Lancelot | SonarSource

xbr...@gmail.com

unread,
May 15, 2017, 9:00:19 AM5/15/17
to SonarQube
Hello Julien,

thank you for your prompt feedback. Unfortunately security team does not want to increase the number because it is a global setting in the firewall. The only 'workaround' possible I think is the removal of some plugins (if possible) or not apply the firewall profile which may not be authorized. Our security team indicated me this article about the url length https://boutell.com/newfaq/misc/urllength.html and they mentioned disabling this feature means several other security options would implicitly disabled.

I think this issue may be pretty common in corporate environments, should I open a ticket here?



Regards,
Brian

Markus Möslinger

unread,
May 23, 2017, 4:06:32 AM5/23/17
to SonarQube, xbr...@gmail.com
Hi,

we are trying to run SonarQube behind a commercial Web Application Firewall (& reverse proxy) too, and have the same problem that the WAF is globally configured to accept no more than 2048 characters.
Our client doesn't want to increase the limit, since it's global and may have an unexpected performance/memory hit they can't take right now.

imho, a firewall/proxy/... should be capable of being as transparent as possible, not adding its own technical limitations to the services it's providing, especially when there is no specified upper length limit for an URL (even IE8 started to change its URL handling, allowing longer addresses, more or less).

So yeah, SonarQube is doing nothing wrong (technically) , and still it won't work in some (many?) corporate environments, as Brian already mentioned.

To run SonarQube in as many (crappy) environments as possible, it would be great if you could try to follow this ancient "no longer URLs than 2000 characters" rule of thumb!


Regards,
Markus

Stas Vilchik

unread,
May 26, 2017, 4:50:53 AM5/26/17
to SonarQube, xbr...@gmail.com
Hello Markus,

We'll do a fix in the next sonarqube release (see ticket).

Thanks for the feedback!

Markus Möslinger

unread,
May 30, 2017, 3:58:24 AM5/30/17
to SonarQube, xbr...@gmail.com
Hi Stas,

thanks, that's great!
Just to be sure, I guess with "the next sonarqube release" you are refering to 6.5, as noted in the ticket?
But I'm still glad to hear that :)

How long do you think the URL in question will be after this change?

Regards,
Markus

xbr...@gmail.com

unread,
May 30, 2017, 3:34:22 PM5/30/17
to SonarQube, xbr...@gmail.com
Hi Stas,

thank you very much for your prompt feedback !

Instead by requesting an URL, would it not be more advisable to use a POST ?

I believe some plugins may have a long list of fields

Regards,
Brian

Stas Vilchik

unread,
May 31, 2017, 7:31:53 AM5/31/17
to SonarQube, xbr...@gmail.com
Hello Markus,

Yes, I was talking about 6.5.

I'd expect that the url is about 150-200 characters in most cases.

Regards,

Stas Vilchik

unread,
May 31, 2017, 7:34:02 AM5/31/17
to SonarQube, xbr...@gmail.com
Hello Brian,

So far we managed to use POST request only for actions that mutate the server data, and GET requests for retrieving the data. We'd like to keep this pattern.

Regards,
Reply all
Reply to author
Forward
0 new messages