Merge pull request #43286 from quaff

* pr/43286:
  Add support for configuring Tomcat connector's max parameter count

Closes gh-43286

Author: snicoll

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java

@@ -513,13 +513,11 @@ public static class Tomcat {
 		 */
 		private DataSize maxHttpResponseHeaderSize = DataSize.ofKilobytes(8);
 
-		public DataSize getMaxHttpFormPostSize() {
-			return this.maxHttpFormPostSize;
-		}
-
-		public void setMaxHttpFormPostSize(DataSize maxHttpFormPostSize) {
-			this.maxHttpFormPostSize = maxHttpFormPostSize;
-		}
+		/**
+		 * Maximum number of parameters (GET plus POST) that will be automatically parsed
+		 * by the container. A value of less than 0 means no limit.
+		 */
+		private int maxParameterCount = 10000;
 
 		public Accesslog getAccesslog() {
 			return this.accesslog;
@@ -669,6 +667,22 @@ public void setMaxHttpResponseHeaderSize(DataSize maxHttpResponseHeaderSize) {
 			this.maxHttpResponseHeaderSize = maxHttpResponseHeaderSize;
 		}
 
+		public DataSize getMaxHttpFormPostSize() {
+			return this.maxHttpFormPostSize;
+		}
+
+		public void setMaxHttpFormPostSize(DataSize maxHttpFormPostSize) {
+			this.maxHttpFormPostSize = maxHttpFormPostSize;
+		}
+
+		public int getMaxParameterCount() {
+			return this.maxParameterCount;
+		}
+
+		public void setMaxParameterCount(int maxParameterCount) {
+			this.maxParameterCount = maxParameterCount;
+		}
+
 		/**
 		 * Tomcat access log properties.
 		 */

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizer.java

@@ -119,6 +119,8 @@ public void customize(ConfigurableTomcatWebServerFactory factory) {
 			.asInt(DataSize::toBytes)
 			.when((maxHttpFormPostSize) -> maxHttpFormPostSize != 0)
 			.to((maxHttpFormPostSize) -> customizeMaxHttpFormPostSize(factory, maxHttpFormPostSize));
+		map.from(properties::getMaxParameterCount)
+			.to((maxParameterCount) -> customizeMaxParameterCount(factory, maxParameterCount));
 		map.from(properties::getAccesslog)
 			.when(ServerProperties.Tomcat.Accesslog::isEnabled)
 			.to((enabled) -> customizeAccessLog(factory));
@@ -292,6 +294,10 @@ private void customizeMaxHttpFormPostSize(ConfigurableTomcatWebServerFactory fac
 		factory.addConnectorCustomizers((connector) -> connector.setMaxPostSize(maxHttpFormPostSize));
 	}
 
+	private void customizeMaxParameterCount(ConfigurableTomcatWebServerFactory factory, int maxParameterCount) {
+		factory.addConnectorCustomizers((connector) -> connector.setMaxParameterCount(maxParameterCount));
+	}
+
 	private void customizeAccessLog(ConfigurableTomcatWebServerFactory factory) {
 		ServerProperties.Tomcat tomcatProperties = this.serverProperties.getTomcat();
 		AccessLogValve valve = new AccessLogValve();

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java

@@ -199,7 +199,7 @@ void testCustomizedMimeMapping() {
 	}
 
 	@Test
-	void testCustomizeUriEncoding() {
+	void testCustomizeTomcatUriEncoding() {
 		bind("server.tomcat.uri-encoding", "US-ASCII");
 		assertThat(this.properties.getTomcat().getUriEncoding()).isEqualTo(StandardCharsets.US_ASCII);
 	}
@@ -235,17 +235,23 @@ void testCustomizeTomcatKeepAliveTimeoutWithInfinite() {
 	}
 
 	@Test
-	void customizeMaxKeepAliveRequests() {
+	void testCustomizeTomcatMaxKeepAliveRequests() {
 		bind("server.tomcat.max-keep-alive-requests", "200");
 		assertThat(this.properties.getTomcat().getMaxKeepAliveRequests()).isEqualTo(200);
 	}
 
 	@Test
-	void customizeMaxKeepAliveRequestsWithInfinite() {
+	void testCustomizeTomcatMaxKeepAliveRequestsWithInfinite() {
 		bind("server.tomcat.max-keep-alive-requests", "-1");
 		assertThat(this.properties.getTomcat().getMaxKeepAliveRequests()).isEqualTo(-1);
 	}
 
+	@Test
+	void testCustomizeTomcatMaxParameterCount() {
+		bind("server.tomcat.max-parameter-count", "100");
+		assertThat(this.properties.getTomcat().getMaxParameterCount()).isEqualTo(100);
+	}
+
 	@Test
 	void testCustomizeTomcatMinSpareThreads() {
 		bind("server.tomcat.threads.min-spare", "10");
@@ -379,6 +385,12 @@ void tomcatMaxHttpPostSizeMatchesConnectorDefault() {
 			.isEqualTo(getDefaultConnector().getMaxPostSize());
 	}
 
+	@Test
+	void tomcatMaxParameterCountMatchesConnectorDefault() {
+		assertThat(this.properties.getTomcat().getMaxParameterCount())
+			.isEqualTo(getDefaultConnector().getMaxParameterCount());
+	}
+
 	@Test
 	void tomcatBackgroundProcessorDelayMatchesEngineDefault() {
 		assertThat(this.properties.getTomcat().getBackgroundProcessorDelay())

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java

@@ -194,6 +194,13 @@ void customMaxHttpRequestHeaderSize() {
 			.isEqualTo(DataSize.ofMegabytes(10).toBytes()));
 	}
 
+	@Test
+	void customMaxParameterCount() {
+		bind("server.tomcat.max-parameter-count=100");
+		customizeAndRunServer(
+				(server) -> assertThat(server.getTomcat().getConnector().getMaxParameterCount()).isEqualTo(100));
+	}
+
 	@Test
 	void customMaxRequestHttpHeaderSizeIgnoredIfNegative() {
 		bind("server.max-http-request-header-size=-1");