Closed Bug 1520574 Opened 6 years ago Closed 6 years ago

Remove file data from KumaScript rendering environment

Categories

(developer.mozilla.org Graveyard :: General, enhancement, P1)

Product:
developer.mozilla.org Graveyard
Component:
General
Platform:
All
Other
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jwhitlock, Assigned: jwhitlock)

References

Details

(Whiteboard: [specification][type:change])

What feature should be changed? Please provide the URL of the feature if possible.

When Kuma calls KumaScript, it includes context data like the document path, revision ID, and tags as base64-encoded headers in the HTTP request. One of these headers is data about attachments, including filename, URL, title, description, size, author, and MIME type. This was added for bug 773285 in PR 413, presumably because macros migrated from DekiWiki macros used this information.

In node 10.14.0, the maximum header size was reduced from 80K to 8K, to prevent a denial of service attack. The encoded file information requires an HTTP header that exceeds 8K on some pages, resulting in the KumaScript service returning a 400 error for these pages. Rendering of pages with many attachments are broken, even if they don't contain macros that use this data.

Irene noticed this issue when adding new images on:

The file information is currently used in two macros, Embed_text and EmbedSVG. These macros are used on about 50 translations, but only one English page, Web/SVG/Attribute/requiredFeatures, and the use on that page is broken, probably since the page move in June 2013.

This feature should be retired in steps:

  • The file data reduced to filename and URL, the two data items used by {{Embed_text}} and {{EmbedSVG}}. The duplicate name attachments should be removed. This should help all pages get before
  • The macros should be retired, or changed to use the attachment URL (https://mdn.mozillademos.org/files/3286/requiredFeatures.svg) rather than the file data in the environment.
  • The file data should be dropped from the headers passed to KumaScript

What problems would this solve?

Pages with many attachments will render without a 400 error. We'd close off a way to break a page by adding an attachment with a very large description.

Who would use this?

Editors

What would users see?

Pages with many attachments will continue rendering

What would users do? What would happen as a result?

Continue not worrying about attachments

Is there anything else we should know?

node 10.15.0 added an option --max-http-header-size that could be used to increase the limit. However, given the low usage of the file data, I believe it makes more sense to drop it from the default environment passed to Kumascript, and add the data to the $json API if needed by macros.

Commits pushed to master at https://github.com/mozilla/kuma https://github.com/mozilla/kuma/commit/6ff7413bbf84bffa9c2ee8d939980e1fe772964b bug 1520574: Reduce file data passed to kumascript With node 10.14.0, there is an 8K limit to HTTP headers. When file data is base64 encoded as a header, it can grow beyond 8K for some pages with 10 or more attachments. This results in a 400 error when rendering. Reduce the attachment metadata to the filename and URL, which are the two attributes used by Embed_text and EmbedSVG, the only macros that use this data. Also, drop the "attachments" header, which encodes the same data but is unused. This is a first step to removing these macros and no longer passing attachment data in the default environment. https://github.com/mozilla/kuma/commit/051a31d35d62e4c8f832b504c96d10d22926d33c Merge pull request #5194 from jwhitlock/reduce-file-data-ks-1520574 bug 1520574: Reduce file data passed to kumascript

I've filed https://github.com/mdn/kumascript/pull/1040 to remove {{Embed_text}} and {{EmbedSVG}}.

Thanks wbamberg!

The two problem pages now render:

I'm leaving the bug open for follow-on actions once these macros are gone.

Blocks: 1520399

There are still documents with many attachments that get the 400 error. Most are user pages, but two stand out:

These should be fixed when we remove the file data header entirely.

Assignee: nobody → jwhitlock
Status: NEW → ASSIGNED
Priority: -- → P1
Commits pushed to master at https://github.com/mozilla/kuma https://github.com/mozilla/kuma/commit/bb169fe5e1dd803ad7b8e484366d9ecb7c532ede bug 1520574: Remove file data from the KS API Remove file attachment data from the KumaScript API. This avoids creating a header that exceeds 8K bytes when a page has several attachments. https://github.com/mozilla/kuma/commit/96773bf7e23acfd6179b59351182a17160eb441d Merge pull request #5206 from jwhitlock/remove-file-data-1520574 bug 1520574: Remove file data from the KumaScript API

With the file header gone, the pages now render without errors:

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.