Six profiling and debugging endpoints in StormApiResource.java are declared with @get even though they perform
state-changing operations on workers:
- GET /api/v1/topology/{id}/profiling/start/{host-port}/{timeout}
- GET /api/v1/topology/{id}/profiling/stop/{host-port}
- GET /api/v1/topology/{id}/profiling/dumpprofile/{host-port}
- GET /api/v1/topology/{id}/profiling/dumpjstack/{host-port}
- GET /api/v1/topology/{id}/profiling/dumpheap/{host-port}
- GET /api/v1/topology/{id}/profiling/restartworker/{host-port}
Per RFC 7231, GET is defined as safe and idempotent and must not be used for state-changing operations. Using GET
here violates HTTP semantics and unnecessarily broadens the CSRF attack surface in deployments that deviate from the recommended reverse-proxy/firewall setup.
Six profiling and debugging endpoints in StormApiResource.java are declared with @get even though they perform
state-changing operations on workers:
Per RFC 7231, GET is defined as safe and idempotent and must not be used for state-changing operations. Using GET
here violates HTTP semantics and unnecessarily broadens the CSRF attack surface in deployments that deviate from the recommended reverse-proxy/firewall setup.