From 86ad55e43e0dec04f12d7ad62e73550265ef6a3b Mon Sep 17 00:00:00 2001
From: David Handermann <exceptionfactory@apache.org>
Date: Mon, 28 Oct 2024 15:26:16 -0500
Subject: [PATCH] NIFI-13941 Fix Maximum Length for DNS Certificate SAN from
 Proxy Hosts (#9462)

NIFI-13941 Fixed Maximum Length for DNS Certificate SAN from Proxy Hosts
- Added warning log for invalid host in proxy property
---
 .../property/SecurityApplicationPropertyHandler.java         | 5 ++++-
 .../property/SecurityApplicationPropertyHandlerTest.java     | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/property/SecurityApplicationPropertyHandler.java b/nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/property/SecurityApplicationPropertyHandler.java
index ea84b4dcf63f..7aad4989e707 100644
--- a/nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/property/SecurityApplicationPropertyHandler.java
+++ b/nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/property/SecurityApplicationPropertyHandler.java
@@ -78,7 +78,8 @@ public class SecurityApplicationPropertyHandler implements ApplicationPropertyHa
 
     private static final String PROPERTY_SEPARATOR = "=";
 
-    private static final Pattern HOST_PORT_PATTERN = Pattern.compile("^([\\w-.]{1,63}):?\\d{0,5}$");
+    // Maximum address length based on RFC 1035 Section 2.3.4
+    private static final Pattern HOST_PORT_PATTERN = Pattern.compile("^([\\w-.]{1,254}):?\\d{0,5}$");
 
     private static final int HOST_GROUP = 1;
 
@@ -307,6 +308,8 @@ private Set<String> getHosts(final String property) {
                 if (hostPortMatcher.matches()) {
                     final String host = hostPortMatcher.group(HOST_GROUP);
                     hosts.add(host);
+                } else {
+                    logger.warn("Invalid host [{}] configured for [{}] in nifi.properties", hostPortGroup, SecurityProperty.WEB_PROXY_HOST.getName());
                 }
             }
         }
diff --git a/nifi-bootstrap/src/test/java/org/apache/nifi/bootstrap/property/SecurityApplicationPropertyHandlerTest.java b/nifi-bootstrap/src/test/java/org/apache/nifi/bootstrap/property/SecurityApplicationPropertyHandlerTest.java
index e0383567028a..38ec3bdb4f57 100644
--- a/nifi-bootstrap/src/test/java/org/apache/nifi/bootstrap/property/SecurityApplicationPropertyHandlerTest.java
+++ b/nifi-bootstrap/src/test/java/org/apache/nifi/bootstrap/property/SecurityApplicationPropertyHandlerTest.java
@@ -61,7 +61,7 @@ class SecurityApplicationPropertyHandlerTest {
 
     private static final int DNS_NAME_TYPE = 2;
 
-    private static final String FIRST_PROXY_HOST = "nifi.apache.org";
+    private static final String FIRST_PROXY_HOST = "maximum.domain.subject.alternative.name.length.greater.than.sixty.four.characters.nifi.apache.org";
 
     private static final int FIRST_PROXY_HOST_PORT = 443;