Hardening: use POST for profiling/debugging REST endpoints (#8515)

rzo1 · rzo1 · commit 866acd2fcfdb · 2026-04-13T20:02:28.000+02:00
diff --git a/docs/STORM-UI-REST-API.md b/docs/STORM-UI-REST-API.md
@@ -1298,9 +1298,9 @@ Sample response:
 }
 ```
 
-## Profiling and Debugging GET Operations
+## Profiling and Debugging POST Operations
 
-###  /api/v1/topology/\<id\>/profiling/start/\<host-port\>/\<timeout\> (GET)
+###  /api/v1/topology/\<id\>/profiling/start/\<host-port\>/\<timeout\> (POST)
 
 Request to start profiler on worker with timeout. Returns status and link to profiler artifacts for worker.
 Substitute appropriate values for \<id\>, \<host-port\> and \<timeout\>.
@@ -1339,7 +1339,7 @@ Sample response:
 }
 ```
 
-###  /api/v1/topology/\<id\>/profiling/dumpprofile/\<host-port\> (GET)
+###  /api/v1/topology/\<id\>/profiling/dumpprofile/\<host-port\> (POST)
 
 Request to dump profiler recording on worker. Returns status and worker id for the request.
 Substitute for \<id\> and \<host-port\>. 
@@ -1371,7 +1371,7 @@ Sample response:
 }
 ```
 
-###  /api/v1/topology/\<id\>/profiling/stop/\<host-port\> (GET)
+###  /api/v1/topology/\<id\>/profiling/stop/\<host-port\> (POST)
 
 Request to stop profiler on worker. Returns status and worker id for the request.
 Substitute for \<id\> and \<host-port\>. 
@@ -1403,7 +1403,7 @@ Sample response:
 }
 ```
 
-###  /api/v1/topology/\<id\>/profiling/dumpjstack/\<host-port\> (GET)
+###  /api/v1/topology/\<id\>/profiling/dumpjstack/\<host-port\> (POST)
 
 Request to dump jstack on worker. Returns status and worker id for the request.
 Substitute for \<id\> and \<host-port\>. 
@@ -1435,7 +1435,7 @@ Sample response:
 }
 ```
 
-###  /api/v1/topology/\<id\>/profiling/dumpheap/\<host-port\> (GET)
+###  /api/v1/topology/\<id\>/profiling/dumpheap/\<host-port\> (POST)
 
 Request to dump heap (jmap) on worker. Returns status and worker id for the request.
 Substitute for \<id\> and \<host-port\>. 
@@ -1467,7 +1467,7 @@ Sample response:
 }
 ```
 
-###  /api/v1/topology/\<id\>/profiling/restartworker/\<host-port\> (GET)
+###  /api/v1/topology/\<id\>/profiling/restartworker/\<host-port\> (POST)
 
 Request to request the worker. Returns status and worker id for the request.
 Substitute for \<id\> and \<host-port\>. 
diff --git a/storm-webapp/src/main/java/org/apache/storm/daemon/ui/WEB-INF/component.html b/storm-webapp/src/main/java/org/apache/storm/daemon/ui/WEB-INF/component.html
@@ -386,7 +386,7 @@
     var passed = {}
     Object.keys(workerActionSelected).forEach(function (id) {
         var url = "/api/v1/topology/"+topologyId+"/profiling/start/" + id + "/" + timeout;
-        $.get(url, function(response,status,jqXHR) {
+        $.post(url, function(response,status,jqXHR) {
             jsError(function() {
                 getStatic("/templates/component-page-template.html", function(template) {
                     var host_port_split = id.split(":");
@@ -428,7 +428,7 @@
     $("#stop_" + id).prop('disabled', true);
     setTimeout(function(){ $("#stop_" + id).prop('disabled', false); }, 5000);
     
-    $.get(url, function(response,status,jqXHR) {
+    $.post(url, function(response,status,jqXHR) {
         alert("Submitted request to stop profiling...");
     })
     .fail(function(response) {
@@ -445,7 +445,7 @@
     $("#dump_profile_" + id).prop('disabled', true);
     setTimeout(function(){ $("#dump_profile_" + id).prop('disabled', false); }, 5000);
     
-    $.get(url, function(response,status,jqXHR) {
+    $.post(url, function(response,status,jqXHR) {
         alert("Submitted request to dump profile snapshot...");
     })
     .fail(function(response) {
@@ -465,7 +465,7 @@
         $("#dump_jstack_" + id).prop('disabled', true);
         setTimeout(function(){ $("#dump_jstack_" + id).prop('disabled', false); }, 5000);
 
-        $.get(url).fail(function(response) {
+        $.post(url).fail(function(response) {
             failed[id] = response;
         });
         if (!(id in failed)) {
@@ -490,7 +490,7 @@
     $("#dump_jstack_" + id).prop('disabled', true);
     setTimeout(function(){ $("#dump_jstack_" + id).prop('disabled', false); }, 5000);
     
-    $.get(url, function(response,status,jqXHR) {
+    $.post(url, function(response,status,jqXHR) {
         alert("Submitted request for jstack dump...");
     })
     .fail(function(response) {
@@ -509,7 +509,7 @@
         $("#restart_worker_jvm_" + id).prop('disabled', true);
         setTimeout(function(){ $("#restart_worker_jvm_" + id).prop('disabled', false); }, 5000);
 
-        $.get(url).fail(function(response) {
+        $.post(url).fail(function(response) {
             failed[id] = response;
         });
         if (!(id in failed)) {
@@ -537,7 +537,7 @@
         $("#dump_heap_" + id).prop('disabled', true);
         setTimeout(function(){ $("#dump_heap_" + id).prop('disabled', false); }, 5000);
 
-        $.get(url).fail(function(response) {
+        $.post(url).fail(function(response) {
             failed[id] = response;
         });
         if (!(id in failed)) {
@@ -562,7 +562,7 @@
     $("#dump_heap_" + id).prop('disabled', true);
     setTimeout(function(){ $("#dump_heap_" + id).prop('disabled', false); }, 5000);
     
-    $.get(url, function(response,status,jqXHR) {
+    $.post(url, function(response,status,jqXHR) {
         alert("Submitted request for jmap dump...");
     })
     .fail(function(response) {
diff --git a/storm-webapp/src/main/java/org/apache/storm/daemon/ui/resources/StormApiResource.java b/storm-webapp/src/main/java/org/apache/storm/daemon/ui/resources/StormApiResource.java
@@ -596,7 +596,7 @@ public Response putTopologyKill(
     /**
      * /api/v1/topology/:id/profiling/start/:host-port/:timeout -> profiling start.
      */
-    @GET
+    @POST
     @Path("/topology/{id}/profiling/start/{host-port}/{timeout}")
     @AuthNimbusOp(value = "setWorkerProfiler", needsTopoId = true)
     @Produces("application/json")
@@ -615,7 +615,7 @@ public Response getTopologyProfilingStart(@PathParam("id") String id,
     /**
      * /api/v1/topology/:id/profiling/stop/:host-port -> profiling stop.
      */
-    @GET
+    @POST
     @Path("/topology/{id}/profiling/stop/{host-port}")
     @AuthNimbusOp(value = "setWorkerProfiler", needsTopoId = true)
     @Produces("application/json")
@@ -633,7 +633,7 @@ public Response getTopologyProfilingStop(@PathParam("id") String id,
     /**
      * /api/v1/topology/:id/profiling/dumpprofile/:host-port -> dump profile.
      */
-    @GET
+    @POST
     @Path("/topology/{id}/profiling/dumpprofile/{host-port}")
     @AuthNimbusOp(value = "setWorkerProfiler", needsTopoId = true)
     @Produces("application/json")
@@ -651,7 +651,7 @@ public Response getTopologyProfilingDumpProfile(@PathParam("id") String id,
     /**
      * /api/v1/topology/:id/profiling/dumpjstack/:host-port -> dump jstack.
      */
-    @GET
+    @POST
     @Path("/topology/{id}/profiling/dumpjstack/{host-port}")
     @AuthNimbusOp(value = "setWorkerProfiler", needsTopoId = true)
     @Produces("application/json")
@@ -671,7 +671,7 @@ public Response getTopologyProfilingDumpJstack(@PathParam("id") String id,
     /**
      * /api/v1/topology/:id/profiling/restartworker/:host-port -> restart worker.
      */
-    @GET
+    @POST
     @Path("/topology/{id}/profiling/restartworker/{host-port}")
     @AuthNimbusOp(value = "setWorkerProfiler", needsTopoId = true)
     @Produces("application/json")
@@ -691,7 +691,7 @@ public Response getTopologyProfilingRestartWorker(@PathParam("id") String id,
     /**
      * /api/v1/topology/:id/profiling/dumpheap/:host-port -> dump heap.
      */
-    @GET
+    @POST
     @Path("/topology/{id}/profiling/dumpheap/{host-port}")
     @AuthNimbusOp(value = "setWorkerProfiler", needsTopoId = true)
     @Produces("application/json")
