Merge pull request #11224 from thingsboard/hotfix/3.7

Hotfix/3.7

application/src/main/java/org/thingsboard/server/actors/ruleChain/RuleEngineComponentActor.java

@@ -50,6 +50,9 @@ public abstract class RuleEngineComponentActor<T extends EntityId, P extends Com
     }
 
     private void processNotificationRule(ComponentLifecycleEvent event, Throwable e) {
+        if (processor == null) {
+            return;
+        }
         systemContext.getNotificationRuleProcessor().process(RuleEngineComponentLifecycleEventTrigger.builder()
                 .tenantId(tenantId)
                 .ruleChainId(getRuleChainId())

application/src/main/java/org/thingsboard/server/config/RequestSizeFilter.java

@@ -0,0 +1,78 @@
+/**
+ * Copyright © 2016-2024 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.config;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+import org.springframework.util.AntPathMatcher;
+import org.springframework.web.filter.OncePerRequestFilter;
+import org.thingsboard.server.common.msg.tools.MaxPayloadSizeExceededException;
+import org.thingsboard.server.exception.ThingsboardErrorResponseHandler;
+
+import java.io.IOException;
+import java.util.List;
+
+@Slf4j
+@Component
+@RequiredArgsConstructor
+public class RequestSizeFilter extends OncePerRequestFilter {
+
+    private final List<String> urls = List.of("/api/plugins/rpc/**", "/api/rpc/**");
+    private final AntPathMatcher pathMatcher = new AntPathMatcher();
+    private final ThingsboardErrorResponseHandler errorResponseHandler;
+    
+    @Value("${transport.http.max_payload_size:65536}")
+    private int maxPayloadSize;
+
+    @Override
+    public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
+        if (request.getContentLength() > maxPayloadSize) {
+            if (log.isDebugEnabled()) {
+                log.debug("Too large payload size. Url: {}, client ip: {}, content length: {}", request.getRequestURL(),
+                        request.getRemoteAddr(), request.getContentLength());
+            }
+            errorResponseHandler.handle(new MaxPayloadSizeExceededException(), response);
+            return;
+        }
+        chain.doFilter(request, response);
+    }
+
+    @Override
+    protected boolean shouldNotFilter(HttpServletRequest request) {
+        for (String url : urls) {
+            if (pathMatcher.match(url, request.getRequestURI())) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    @Override
+    protected boolean shouldNotFilterAsyncDispatch() {
+        return false;
+    }
+
+    @Override
+    protected boolean shouldNotFilterErrorDispatch() {
+        return false;
+    }
+}

application/src/main/java/org/thingsboard/server/config/ThingsboardSecurityConfiguration.java

@@ -124,6 +124,9 @@ public class ThingsboardSecurityConfiguration {
     @Autowired
     private RateLimitProcessingFilter rateLimitProcessingFilter;
 
+    @Autowired
+    private RequestSizeFilter requestSizeFilter;
+
     @Bean
     protected FilterRegistrationBean<ShallowEtagHeaderFilter> buildEtagFilter() throws Exception {
         ShallowEtagHeaderFilter etagFilter = new ShallowEtagHeaderFilter();
@@ -225,6 +228,7 @@ public class ThingsboardSecurityConfiguration {
                 .addFilterBefore(buildRestPublicLoginProcessingFilter(), UsernamePasswordAuthenticationFilter.class)
                 .addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(), UsernamePasswordAuthenticationFilter.class)
                 .addFilterBefore(buildRefreshTokenProcessingFilter(), UsernamePasswordAuthenticationFilter.class)
+                .addFilterBefore(requestSizeFilter, UsernamePasswordAuthenticationFilter.class)
                 .addFilterAfter(rateLimitProcessingFilter, UsernamePasswordAuthenticationFilter.class);
         if (oauth2Configuration != null) {
             http.oauth2Login(login -> login

application/src/main/java/org/thingsboard/server/controller/RpcV2Controller.java

@@ -118,6 +118,7 @@ public class RpcV2Controller extends AbstractRpcController {
             @ApiResponse(responseCode = "200", description = "Persistent RPC request was saved to the database or lightweight RPC request was sent to the device."),
             @ApiResponse(responseCode = "400", description = "Invalid structure of the request."),
             @ApiResponse(responseCode = "401", description = "User is not authorized to send the RPC request. Most likely, User belongs to different Customer or Tenant."),
+            @ApiResponse(responseCode = "413", description = "Request payload is too large"),
             @ApiResponse(responseCode = "504", description = "Timeout to process the RPC call. Most likely, device is offline."),
     })
     @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN', 'CUSTOMER_USER')")
@@ -136,6 +137,7 @@ public class RpcV2Controller extends AbstractRpcController {
             @ApiResponse(responseCode = "200", description = "Persistent RPC request was saved to the database or lightweight RPC response received."),
             @ApiResponse(responseCode = "400", description = "Invalid structure of the request."),
             @ApiResponse(responseCode = "401", description = "User is not authorized to send the RPC request. Most likely, User belongs to different Customer or Tenant."),
+            @ApiResponse(responseCode = "413", description = "Request payload is too large"),
             @ApiResponse(responseCode = "504", description = "Timeout to process the RPC call. Most likely, device is offline."),
     })
     @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN', 'CUSTOMER_USER')")

application/src/main/java/org/thingsboard/server/exception/ThingsboardErrorResponseHandler.java

@@ -46,6 +46,7 @@ import org.springframework.web.util.WebUtils;
 import org.thingsboard.common.util.JacksonUtil;
 import org.thingsboard.server.common.data.exception.ThingsboardErrorCode;
 import org.thingsboard.server.common.data.exception.ThingsboardException;
+import org.thingsboard.server.common.msg.tools.MaxPayloadSizeExceededException;
 import org.thingsboard.server.common.msg.tools.TbRateLimitsException;
 import org.thingsboard.server.service.security.exception.AuthMethodNotSupportedException;
 import org.thingsboard.server.service.security.exception.JwtExpiredTokenException;
@@ -146,6 +147,8 @@ public class ThingsboardErrorResponseHandler extends ResponseEntityExceptionHand
                     handleAccessDeniedException(response);
                 } else if (exception instanceof AuthenticationException) {
                     handleAuthenticationException((AuthenticationException) exception, response);
+                }  else if (exception instanceof MaxPayloadSizeExceededException) {
+                    handleMaxPayloadSizeExceededException(response, (MaxPayloadSizeExceededException) exception);
                 } else {
                     response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
                     JacksonUtil.writeValue(response.getWriter(), ThingsboardErrorResponse.of(exception.getMessage(),
@@ -184,6 +187,13 @@ public class ThingsboardErrorResponseHandler extends ResponseEntityExceptionHand
                         ThingsboardErrorCode.TOO_MANY_REQUESTS, HttpStatus.TOO_MANY_REQUESTS));
     }
 
+    private void handleMaxPayloadSizeExceededException(HttpServletResponse response, MaxPayloadSizeExceededException exception) throws IOException {
+        response.setStatus(HttpStatus.PAYLOAD_TOO_LARGE.value());
+        JacksonUtil.writeValue(response.getWriter(),
+                ThingsboardErrorResponse.of(exception.getMessage(),
+                        ThingsboardErrorCode.BAD_REQUEST_PARAMS, HttpStatus.PAYLOAD_TOO_LARGE));
+    }
+
     private void handleSubscriptionException(ThingsboardException subscriptionException, HttpServletResponse response) throws IOException {
         response.setStatus(HttpStatus.FORBIDDEN.value());
         JacksonUtil.writeValue(response.getWriter(),

application/src/main/java/org/thingsboard/server/service/edge/EdgeEventSourcingListener.java

@@ -30,6 +30,7 @@ import org.thingsboard.server.common.data.User;
 import org.thingsboard.server.common.data.alarm.Alarm;
 import org.thingsboard.server.common.data.alarm.AlarmApiCallResult;
 import org.thingsboard.server.common.data.alarm.AlarmComment;
+import org.thingsboard.server.common.data.alarm.EntityAlarm;
 import org.thingsboard.server.common.data.audit.ActionType;
 import org.thingsboard.server.common.data.edge.EdgeEventActionType;
 import org.thingsboard.server.common.data.edge.EdgeEventType;
@@ -194,7 +195,7 @@ public class EdgeEventSourcingListener {
                     }
                     break;
                 case ALARM:
-                    if (entity instanceof AlarmApiCallResult || entity instanceof Alarm) {
+                    if (entity instanceof AlarmApiCallResult || entity instanceof Alarm || entity instanceof EntityAlarm) {
                         return false;
                     }
                     break;

application/src/main/java/org/thingsboard/server/service/queue/DefaultTbClusterService.java

@@ -22,6 +22,7 @@ import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Lazy;
 import org.springframework.scheduling.annotation.Scheduled;
 import org.springframework.stereotype.Service;
+import org.thingsboard.common.util.JacksonUtil;
 import org.thingsboard.server.cluster.TbClusterService;
 import org.thingsboard.server.common.data.ApiUsageState;
 import org.thingsboard.server.common.data.DataConstants;
@@ -35,6 +36,7 @@ import org.thingsboard.server.common.data.ResourceType;
 import org.thingsboard.server.common.data.TbResourceInfo;
 import org.thingsboard.server.common.data.Tenant;
 import org.thingsboard.server.common.data.TenantProfile;
+import org.thingsboard.server.common.data.asset.Asset;
 import org.thingsboard.server.common.data.edge.EdgeEventActionType;
 import org.thingsboard.server.common.data.edge.EdgeEventType;
 import org.thingsboard.server.common.data.id.AssetId;
@@ -45,6 +47,7 @@ import org.thingsboard.server.common.data.id.EdgeId;
 import org.thingsboard.server.common.data.id.EntityId;
 import org.thingsboard.server.common.data.id.RuleChainId;
 import org.thingsboard.server.common.data.id.TenantId;
+import org.thingsboard.server.common.data.msg.TbMsgType;
 import org.thingsboard.server.common.data.page.PageData;
 import org.thingsboard.server.common.data.page.PageLink;
 import org.thingsboard.server.common.data.plugin.ComponentLifecycleEvent;
@@ -205,7 +208,7 @@ public class DefaultTbClusterService implements TbClusterService {
                 return;
             }
         } else {
-            HasRuleEngineProfile ruleEngineProfile = getRuleEngineProfileForEntityOrElseNull(tenantId, entityId);
+            HasRuleEngineProfile ruleEngineProfile = getRuleEngineProfileForEntityOrElseNull(tenantId, entityId, tbMsg);
             tbMsg = transformMsg(tbMsg, ruleEngineProfile);
         }
 
@@ -213,13 +216,39 @@ public class DefaultTbClusterService implements TbClusterService {
         toRuleEngineMsgs.incrementAndGet();
     }
 
-    private HasRuleEngineProfile getRuleEngineProfileForEntityOrElseNull(TenantId tenantId, EntityId entityId) {
+    HasRuleEngineProfile getRuleEngineProfileForEntityOrElseNull(TenantId tenantId, EntityId entityId, TbMsg tbMsg) {
         if (entityId.getEntityType().equals(EntityType.DEVICE)) {
-            return deviceProfileCache.get(tenantId, new DeviceId(entityId.getId()));
+            if (TbMsgType.ENTITY_DELETED.equals(tbMsg.getInternalType())) {
+                try {
+                    Device deletedDevice = JacksonUtil.fromString(tbMsg.getData(), Device.class);
+                    if (deletedDevice == null) {
+                        return null;
+                    }
+                    return deviceProfileCache.get(tenantId, deletedDevice.getDeviceProfileId());
+                } catch (Exception e) {
+                    log.warn("[{}][{}] Failed to deserialize device: {}", tenantId, entityId, tbMsg, e);
+                    return null;
+                }
+            } else {
+                return deviceProfileCache.get(tenantId, new DeviceId(entityId.getId()));
+            }
         } else if (entityId.getEntityType().equals(EntityType.DEVICE_PROFILE)) {
             return deviceProfileCache.get(tenantId, new DeviceProfileId(entityId.getId()));
         } else if (entityId.getEntityType().equals(EntityType.ASSET)) {
-            return assetProfileCache.get(tenantId, new AssetId(entityId.getId()));
+            if (TbMsgType.ENTITY_DELETED.equals(tbMsg.getInternalType())) {
+                try {
+                    Asset deletedAsset = JacksonUtil.fromString(tbMsg.getData(), Asset.class);
+                    if (deletedAsset == null) {
+                        return null;
+                    }
+                    return assetProfileCache.get(tenantId, deletedAsset.getAssetProfileId());
+                } catch (Exception e) {
+                    log.warn("[{}][{}] Failed to deserialize asset: {}", tenantId, entityId, tbMsg, e);
+                    return null;
+                }
+            } else {
+                return assetProfileCache.get(tenantId, new AssetId(entityId.getId()));
+            }
         } else if (entityId.getEntityType().equals(EntityType.ASSET_PROFILE)) {
             return assetProfileCache.get(tenantId, new AssetProfileId(entityId.getId()));
         }

application/src/main/resources/thingsboard.yml

@@ -959,6 +959,8 @@ transport:
     request_timeout: "${HTTP_REQUEST_TIMEOUT:60000}"
     # HTTP maximum request processing timeout in milliseconds
     max_request_timeout: "${HTTP_MAX_REQUEST_TIMEOUT:300000}"
+    # Maximum request size
+    max_payload_size: "${HTTP_MAX_PAYLOAD_SIZE:65536}" # max payload size in bytes
   # Local MQTT transport parameters
   mqtt:
     # Enable/disable mqtt transport protocol.

application/src/test/java/org/thingsboard/server/controller/RpcControllerTest.java

@@ -22,6 +22,7 @@ import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
+import org.springframework.test.context.TestPropertySource;
 import org.springframework.test.web.servlet.MvcResult;
 import org.thingsboard.common.util.JacksonUtil;
 import org.thingsboard.server.common.data.Device;
@@ -38,6 +39,9 @@ import java.util.List;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 @DaoSqlTest
+@TestPropertySource(properties = {
+        "transport.http.max_payload_size=10000"
+})
 public class RpcControllerTest extends AbstractControllerTest {
 
     private Tenant savedTenant;
@@ -78,13 +82,18 @@ public class RpcControllerTest extends AbstractControllerTest {
     }
 
     private ObjectNode createDefaultRpc() {
+        return createDefaultRpc(100);
+    }
+
+    private ObjectNode createDefaultRpc(int size) {
         ObjectNode rpc = JacksonUtil.newObjectNode();
         rpc.put("method", "setGpio");
 
         ObjectNode params = JacksonUtil.newObjectNode();
 
         params.put("pin", 7);
-        params.put("value", 1);
+        String value = "a".repeat(size - 83);
+        params.put("value", value);
 
         rpc.set("params", params);
         rpc.put("persistent", true);
@@ -122,6 +131,28 @@ public class RpcControllerTest extends AbstractControllerTest {
         Assert.assertEquals(savedDevice.getId(), savedRpc.getDeviceId());
     }
 
+    @Test
+    public void testSaveLargeRpc() throws Exception {
+        Device device = createDefaultDevice();
+        Device savedDevice = doPost("/api/device", device, Device.class);
+
+        ObjectNode rpc = createDefaultRpc(10001);
+        doPost(
+                "/api/rpc/oneway/" + savedDevice.getId().getId().toString(),
+                JacksonUtil.toString(rpc),
+                String.class,
+                status().isPayloadTooLarge()
+        );
+
+        ObjectNode validRpc = createDefaultRpc(10000);
+        doPost(
+                "/api/rpc/oneway/" + savedDevice.getId().getId().toString(),
+                JacksonUtil.toString(validRpc),
+                String.class,
+                status().isOk()
+        );
+    }
+
     @Test
     public void testDeleteRpc() throws Exception {
         Device device = createDefaultDevice();

application/src/test/java/org/thingsboard/server/service/queue/DefaultTbClusterServiceTest.java

@@ -23,11 +23,20 @@ import org.springframework.boot.test.mock.mockito.MockBean;
 import org.springframework.boot.test.mock.mockito.SpyBean;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringRunner;
+import org.thingsboard.common.util.JacksonUtil;
 import org.thingsboard.server.cluster.TbClusterService;
 import org.thingsboard.server.common.data.DataConstants;
+import org.thingsboard.server.common.data.Device;
+import org.thingsboard.server.common.data.asset.Asset;
+import org.thingsboard.server.common.data.id.AssetId;
+import org.thingsboard.server.common.data.id.AssetProfileId;
+import org.thingsboard.server.common.data.id.DeviceId;
+import org.thingsboard.server.common.data.id.DeviceProfileId;
 import org.thingsboard.server.common.data.id.QueueId;
 import org.thingsboard.server.common.data.id.TenantId;
+import org.thingsboard.server.common.data.msg.TbMsgType;
 import org.thingsboard.server.common.data.queue.Queue;
+import org.thingsboard.server.common.msg.TbMsg;
 import org.thingsboard.server.common.msg.queue.ServiceType;
 import org.thingsboard.server.dao.edge.EdgeService;
 import org.thingsboard.server.gen.transport.TransportProtos;
@@ -249,4 +258,44 @@ public class DefaultTbClusterServiceTest {
         queue.setPartitions(10);
         return queue;
     }
+
+    @Test
+    public void testGetRuleEngineProfileForUpdatedAndDeletedDevice() {
+        DeviceId deviceId = new DeviceId(UUID.randomUUID());
+        TenantId tenantId = new TenantId(UUID.randomUUID());
+        DeviceProfileId deviceProfileId = new DeviceProfileId(UUID.randomUUID());
+
+        Device device = new Device(deviceId);
+        device.setDeviceProfileId(deviceProfileId);
+
+        // device updated
+        TbMsg tbMsg = TbMsg.builder().internalType(TbMsgType.ENTITY_UPDATED).build();
+        ((DefaultTbClusterService) clusterService).getRuleEngineProfileForEntityOrElseNull(tenantId, deviceId, tbMsg);
+        verify(deviceProfileCache, times(1)).get(tenantId, deviceId);
+
+        // device deleted
+        tbMsg = TbMsg.builder().internalType(TbMsgType.ENTITY_DELETED).data(JacksonUtil.toString(device)).build();
+        ((DefaultTbClusterService) clusterService).getRuleEngineProfileForEntityOrElseNull(tenantId, deviceId, tbMsg);
+        verify(deviceProfileCache, times(1)).get(tenantId, deviceProfileId);
+    }
+
+    @Test
+    public void testGetRuleEngineProfileForUpdatedAndDeletedAsset() {
+        AssetId assetId = new AssetId(UUID.randomUUID());
+        TenantId tenantId = new TenantId(UUID.randomUUID());
+        AssetProfileId assetProfileId = new AssetProfileId(UUID.randomUUID());
+
+        Asset asset = new Asset(assetId);
+        asset.setAssetProfileId(assetProfileId);
+
+        // asset updated
+        TbMsg tbMsg = TbMsg.builder().internalType(TbMsgType.ENTITY_UPDATED).build();
+        ((DefaultTbClusterService) clusterService).getRuleEngineProfileForEntityOrElseNull(tenantId, assetId, tbMsg);
+        verify(assetProfileCache, times(1)).get(tenantId, assetId);
+
+        // asset deleted
+        tbMsg = TbMsg.builder().internalType(TbMsgType.ENTITY_DELETED).data(JacksonUtil.toString(asset)).build();
+        ((DefaultTbClusterService) clusterService).getRuleEngineProfileForEntityOrElseNull(tenantId, assetId, tbMsg);
+        verify(assetProfileCache, times(1)).get(tenantId, assetProfileId);
+    }
 }

application/src/test/java/org/thingsboard/server/service/script/NashornJsInvokeServiceTest.java

@@ -39,12 +39,13 @@ import java.util.concurrent.TimeoutException;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.thingsboard.server.common.data.msg.TbMsgType.POST_TELEMETRY_REQUEST;
 
 @DaoSqlTest
 @TestPropertySource(properties = {
         "js.evaluator=local",
-        "js.max_script_body_size=50",
+        "js.max_script_body_size=10000",
         "js.max_total_args_size=50",
         "js.max_result_size=50",
         "js.local.max_errors=2",
@@ -87,7 +88,7 @@ class NashornJsInvokeServiceTest extends AbstractControllerTest {
 
     @Test
     void givenSimpleScriptMultiThreadTestPerformance() throws ExecutionException, InterruptedException, TimeoutException {
-        int iterations = 1000*4;
+        int iterations = 1000 * 4;
         List<ListenableFuture<Object>> futures = new ArrayList<>(iterations);
         UUID scriptId = evalScript("return msg.temperature > 20 ;");
         // warmup
@@ -125,7 +126,7 @@ class NashornJsInvokeServiceTest extends AbstractControllerTest {
 
     @Test
     void givenTooBigScriptForEval_thenReturnError() {
-        String hugeScript = "var a = 'qwertyqwertywertyqwabababer'; return {a: a};";
+        String hugeScript = "var a = '" + "a".repeat(10000) + "'; return {a: a};";
 
         assertThatThrownBy(() -> {
             evalScript(hugeScript);
@@ -159,6 +160,46 @@ class NashornJsInvokeServiceTest extends AbstractControllerTest {
         assertThatScriptIsBlocked(scriptId);
     }
 
+    @Test
+    void givenComplexScript_testCompile() {
+        String script = """
+                function(data) {
+                  if (data.get("propertyA") == "a special value 1" || data.get("propertyA") == "a special value 2") {
+                    return "a special value 1";
+                  } else if (data.get("propertyB") == "a special value 3" && (data.get("propertyC") == "a special value 1" || data.get("propertyJ") == "a special value 1" || data.get("propertyV") == "a special value 1")) {
+                    return "a special value 1";
+                  } else if (data.get("propertyB") == "4" && (data.get("propertyD") == "a special value 1" || data.get("propertyV") == "a special value 1" || data.get("propertyW") == "a special value 1")) {
+                    return "a special value 1";
+                  } else if (data.get("propertyB") == "a special value 2" && (data.get("propertyE") == "a special value 1" || data.get("propertyF") == "a special value 1" || data.get("propertyL") == "a special value 1")) {
+                    return "a special value 1";
+                  } else if (data.get("propertyB") == "a special value 3" && (data.get("propertyE") == "a special value 1" || data.get("propertyF") == "a special value 1" || data.get("propertyL") == "a special value 1")) {
+                    return "a special value 1";
+                  } else if (data.get("propertyB") == "a special value 3" && (data.get("propertyM") == "a special value 1" || data.get("propertyY") == "a special value 1" || data.get("propertyH") == "a special value 1")) {
+                    return "a special value 1";
+                  } else if (data.get("propertyB") == "a special value 3" && (data.get("propertyM") == "a special value 1" || data.get("propertyY") == "a special value 1" || data.get("propertyH") == "a special value 1")) {
+                    return "a special value 1";
+                  } else if (data.get("propertyB") == "a special value 3" && (data.get("propertyM") == "a special value 1" || data.get("propertyY") == "a special value 1" || data.get("propertyH") == "a special value 1")) {
+                    return "a special value 1";
+                  } else if (data.get("propertyB") == "a special value 3" && (data.get("propertyM") == "a special value 1" || data.get("propertyY") == "a special value 1" || data.get("propertyH") == "a special value 1")) {
+                    return "a special value 1";
+                  } else if (data.get("propertyB") == "a special value 3" && (data.get("propertyM") == "a special value 1" || data.get("propertyY") == "a special value 1" || data.get("propertyH") == "a special value 1")) {
+                    return "a special value 1";
+                  }  else if (data.get("propertyB") == "a special value 3" && (data.get("propertyM") == "a special value 1" || data.get("propertyY") == "a special value 1" || data.get("propertyH") == "a special value 1")) {
+                    return "a special value 1";
+                  } else if (data.get("propertyB") == "a special value 3" && (data.get("propertyM") == "a special value 1" || data.get("propertyY") == "a special value 1" || data.get("propertyH") == "a special value 1")) {
+                    return "a special value 1";
+                  } else {
+                     return "0"
+                  };
+                }
+                """;
+
+        // with delight-nashorn-sandbox 0.4.2, this would throw delight.nashornsandbox.exceptions.ScriptCPUAbuseException: Regular expression running for too many iterations. The operation could NOT be gracefully interrupted.
+        assertDoesNotThrow(() -> {
+            evalScript(script);
+        });
+    }
+
     private void assertThatScriptIsBlocked(UUID scriptId) {
         assertThatThrownBy(() -> {
             invokeScript(scriptId, "{}");

application/src/test/java/org/thingsboard/server/system/BaseHttpDeviceApiTest.java

@@ -20,6 +20,7 @@ import org.junit.Test;
 import org.springframework.test.context.TestPropertySource;
 import org.springframework.test.web.servlet.ResultActions;
 import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
+import org.thingsboard.common.util.JacksonUtil;
 import org.thingsboard.server.common.data.Device;
 import org.thingsboard.server.common.data.security.DeviceCredentials;
 import org.thingsboard.server.controller.AbstractControllerTest;
@@ -29,6 +30,7 @@ import java.util.Map;
 import java.util.Random;
 import java.util.concurrent.atomic.AtomicInteger;
 
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.asyncDispatch;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
@@ -40,6 +42,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
  */
 @TestPropertySource(properties = {
         "transport.http.enabled=true",
+        "transport.http.max_payload_size=10000"
 })
 public abstract class BaseHttpDeviceApiTest extends AbstractControllerTest {
 
@@ -74,6 +77,44 @@ public abstract class BaseHttpDeviceApiTest extends AbstractControllerTest {
         doGetAsync("/api/v1/" + deviceCredentials.getCredentialsId() + "/attributes?clientKeys=keyA,keyB,keyC").andExpect(status().isOk());
     }
 
+    @Test
+    public void testReplyToCommandWithLargeResponse() throws Exception {
+        String errorResponse = doPost("/api/v1/" + deviceCredentials.getCredentialsId() + "/rpc/5",
+                JacksonUtil.toString(createRpcResponsePayload(10001)),
+                String.class,
+                status().isPayloadTooLarge());
+        assertThat(errorResponse).contains("Payload size exceeds the limit");
+
+        doPost("/api/v1/" + deviceCredentials.getCredentialsId() + "/rpc/5",
+                JacksonUtil.toString(createRpcResponsePayload(10000)),
+                String.class,
+                status().isOk());
+    }
+
+    @Test
+    public void testPostRpcRequestWithLargeResponse() throws Exception {
+        String errorResponse = doPost("/api/v1/" + deviceCredentials.getCredentialsId() + "/rpc",
+                JacksonUtil.toString(createRpcRequestPayload(10001)),
+                String.class,
+                status().isPayloadTooLarge());
+        assertThat(errorResponse).contains("Payload size exceeds the limit");
+
+        doPost("/api/v1/" + deviceCredentials.getCredentialsId() + "/rpc",
+                JacksonUtil.toString(createRpcRequestPayload(10000)),
+                String.class,
+                status().isOk());
+    }
+
+    private String createRpcResponsePayload(int size) {
+        String value = "a".repeat(size - 19);
+        return "{\"result\":\"" + value + "\"}";
+    }
+
+    private String createRpcRequestPayload(int size) {
+        String value = "a".repeat(size - 50);
+        return "{\"method\":\"get\",\"params\":{\"value\":\"" + value + "\"}}";
+    }
+
     protected ResultActions doGetAsync(String urlTemplate, Object... urlVariables) throws Exception {
         MockHttpServletRequestBuilder getRequest;
         getRequest = get(urlTemplate, urlVariables);

common/message/src/main/java/org/thingsboard/server/common/msg/tools/MaxPayloadSizeExceededException.java

@@ -0,0 +1,23 @@
+/**
+ * Copyright © 2016-2024 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.common.msg.tools;
+
+public class MaxPayloadSizeExceededException extends RuntimeException {
+
+    public MaxPayloadSizeExceededException() {
+        super("Payload size exceeds the limit");
+    }
+}

common/transport/http/src/main/java/org/thingsboard/server/transport/http/DeviceApiController.java

@@ -21,9 +21,14 @@ import com.google.gson.JsonParser;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.Parameter;
 import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.responses.ApiResponses;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
 import org.springframework.core.io.ByteArrayResource;
 import org.springframework.http.HttpHeaders;
@@ -31,6 +36,7 @@ import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.http.converter.HttpMessageNotReadableException;
+import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -38,6 +44,8 @@ import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.context.request.async.DeferredResult;
+import org.thingsboard.common.util.JacksonUtil;
+import org.thingsboard.server.common.adaptor.JsonConverter;
 import org.thingsboard.server.common.data.DataConstants;
 import org.thingsboard.server.common.data.DeviceTransportType;
 import org.thingsboard.server.common.data.StringUtils;
@@ -45,11 +53,11 @@ import org.thingsboard.server.common.data.TbTransportService;
 import org.thingsboard.server.common.data.id.DeviceId;
 import org.thingsboard.server.common.data.ota.OtaPackageType;
 import org.thingsboard.server.common.data.rpc.RpcStatus;
+import org.thingsboard.server.common.msg.tools.MaxPayloadSizeExceededException;
 import org.thingsboard.server.common.transport.SessionMsgListener;
 import org.thingsboard.server.common.transport.TransportContext;
 import org.thingsboard.server.common.transport.TransportService;
 import org.thingsboard.server.common.transport.TransportServiceCallback;
-import org.thingsboard.server.common.adaptor.JsonConverter;
 import org.thingsboard.server.common.transport.auth.SessionInfoCreator;
 import org.thingsboard.server.common.transport.auth.ValidateDeviceCredentialsResponse;
 import org.thingsboard.server.gen.transport.TransportProtos;
@@ -68,7 +76,7 @@ import org.thingsboard.server.gen.transport.TransportProtos.ToServerRpcRequestMs
 import org.thingsboard.server.gen.transport.TransportProtos.ToServerRpcResponseMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.ValidateDeviceTokenRequestMsg;
 
-import jakarta.servlet.http.HttpServletRequest;
+import java.io.IOException;
 import java.util.Arrays;
 import java.util.List;
 import java.util.UUID;
@@ -128,6 +136,9 @@ public class DeviceApiController implements TbTransportService {
 
     private static final String ACCESS_TOKEN_PARAM_DESCRIPTION = "Your device access token.";
 
+    @Value("${transport.http.max_payload_size:65536}")
+    private int maxPayloadSize;
+
     @Autowired
     private HttpTransportContext transportContext;
 
@@ -265,6 +276,11 @@ public class DeviceApiController implements TbTransportService {
     @Operation(summary = "Reply to RPC commands (replyToCommand)",
             description = "Replies to server originated RPC command identified by 'requestId' parameter. The response is arbitrary JSON.\n\n" +
                     REQUIRE_ACCESS_TOKEN)
+    @ApiResponses(value = {
+            @ApiResponse(responseCode = "200", description = "RPC reply to command request was sent to Core."),
+            @ApiResponse(responseCode = "400", description = "Invalid structure of the request."),
+            @ApiResponse(responseCode = "413", description = "Request payload is too large."),
+    })
     @RequestMapping(value = "/{deviceToken}/rpc/{requestId}", method = RequestMethod.POST)
     public DeferredResult<ResponseEntity> replyToCommand(
             @Parameter(description = ACCESS_TOKEN_PARAM_DESCRIPTION, required = true , schema = @Schema(defaultValue = "YOUR_DEVICE_ACCESS_TOKEN"))
@@ -272,7 +288,8 @@ public class DeviceApiController implements TbTransportService {
             @Parameter(description = "RPC request id from the incoming RPC request", required = true , schema = @Schema(defaultValue = "123"))
             @PathVariable("requestId") Integer requestId,
             @io.swagger.v3.oas.annotations.parameters.RequestBody(description = "Reply to the RPC request, JSON. For example: {\"status\":\"success\"}", required = true)
-            @RequestBody String json) {
+            @RequestBody String json, HttpServletRequest httpServletRequest) {
+        checkPayloadSize(httpServletRequest);
         DeferredResult<ResponseEntity> responseWriter = new DeferredResult<ResponseEntity>();
         transportContext.getTransportService().process(DeviceTransportType.DEFAULT, ValidateDeviceTokenRequestMsg.newBuilder().setToken(deviceToken).build(),
                 new DeviceAuthCallback(transportContext, responseWriter, sessionInfo -> {
@@ -292,12 +309,18 @@ public class DeviceApiController implements TbTransportService {
                     "{\"result\": 4}" +
                     MARKDOWN_CODE_BLOCK_END +
                     REQUIRE_ACCESS_TOKEN)
+    @ApiResponses(value = {
+            @ApiResponse(responseCode = "200", description = "RPC request to server was sent to Rule Engine."),
+            @ApiResponse(responseCode = "400", description = "Invalid structure of the request."),
+            @ApiResponse(responseCode = "413", description = "Request payload too large."),
+    })
     @RequestMapping(value = "/{deviceToken}/rpc", method = RequestMethod.POST)
     public DeferredResult<ResponseEntity> postRpcRequest(
             @Parameter(description = ACCESS_TOKEN_PARAM_DESCRIPTION, required = true , schema = @Schema(defaultValue = "YOUR_DEVICE_ACCESS_TOKEN"))
             @PathVariable("deviceToken") String deviceToken,
             @io.swagger.v3.oas.annotations.parameters.RequestBody(description = "The RPC request JSON", required = true)
-            @RequestBody String json) {
+            @RequestBody String json, HttpServletRequest httpServletRequest) {
+        checkPayloadSize(httpServletRequest);
         DeferredResult<ResponseEntity> responseWriter = new DeferredResult<ResponseEntity>();
         transportContext.getTransportService().process(DeviceTransportType.DEFAULT, ValidateDeviceTokenRequestMsg.newBuilder().setToken(deviceToken).build(),
                 new DeviceAuthCallback(transportContext, responseWriter, sessionInfo -> {
@@ -420,6 +443,12 @@ public class DeviceApiController implements TbTransportService {
         return responseWriter;
     }
 
+    private void checkPayloadSize(HttpServletRequest httpServletRequest) {
+        if (httpServletRequest.getContentLength() > maxPayloadSize) {
+            throw new MaxPayloadSizeExceededException();
+        }
+    }
+
     private DeferredResult<ResponseEntity> getOtaPackageCallback(String deviceToken, String title, String version, int size, int chunk, OtaPackageType firmwareType) {
         DeferredResult<ResponseEntity> responseWriter = new DeferredResult<>();
         transportContext.getTransportService().process(DeviceTransportType.DEFAULT, ValidateDeviceTokenRequestMsg.newBuilder().setToken(deviceToken).build(),
@@ -608,6 +637,20 @@ public class DeviceApiController implements TbTransportService {
 
     }
 
+    @ExceptionHandler(MaxPayloadSizeExceededException.class)
+    public void handle(MaxPayloadSizeExceededException exception, HttpServletRequest request, HttpServletResponse response) {
+        log.debug("Too large payload size. Url: {}, client ip: {}, content length: {}", request.getRequestURL(),
+                request.getRemoteAddr(), request.getContentLength());
+        if (!response.isCommitted()) {
+            try {
+                response.setStatus(HttpStatus.PAYLOAD_TOO_LARGE.value());
+                JacksonUtil.writeValue(response.getWriter(), exception.getMessage());
+            } catch (IOException e) {
+                log.error("Can't handle exception", e);
+            }
+        }
+    }
+
     private static MediaType parseMediaType(String contentType) {
         try {
             return MediaType.parseMediaType(contentType);

dao/src/main/java/org/thingsboard/server/dao/resource/BaseResourceService.java

@@ -155,6 +155,9 @@ public class BaseResourceService extends AbstractCachedEntityService<ResourceInf
             resourceValidator.validateDelete(tenantId, resourceId);
         }
         TbResource resource = findResourceById(tenantId, resourceId);
+        if (resource == null) {
+            return;
+        }
         resourceDao.removeById(tenantId, resourceId.getId());
         eventPublisher.publishEvent(DeleteEntityEvent.builder().tenantId(tenantId).entity(resource).entityId(resourceId).build());
     }

dao/src/main/java/org/thingsboard/server/dao/rule/BaseRuleChainService.java

@@ -433,19 +433,20 @@ public class BaseRuleChainService extends AbstractEntityService implements RuleC
     public void deleteRuleChainById(TenantId tenantId, RuleChainId ruleChainId) {
         Validator.validateId(ruleChainId, "Incorrect rule chain id for delete request.");
         RuleChain ruleChain = ruleChainDao.findById(tenantId, ruleChainId.getId());
+        if (ruleChain == null) {
+            return;
+        }
 
         List<RuleNode> referencingRuleNodes = getReferencingRuleChainNodes(tenantId, ruleChainId);
         Set<RuleChainId> referencingRuleChainIds = referencingRuleNodes.stream().map(RuleNode::getRuleChainId).collect(Collectors.toSet());
 
-        if (ruleChain != null) {
+        if (ruleChain.isRoot()) {
-            if (ruleChain.isRoot()) {
+            throw new DataValidationException("Deletion of Root Tenant Rule Chain is prohibited!");
-                throw new DataValidationException("Deletion of Root Tenant Rule Chain is prohibited!");
+        }
-            }
+        if (RuleChainType.EDGE.equals(ruleChain.getType())) {
-            if (RuleChainType.EDGE.equals(ruleChain.getType())) {
+            for (Edge edge : new PageDataIterable<>(link -> edgeService.findEdgesByTenantIdAndEntityId(tenantId, ruleChainId, link), DEFAULT_PAGE_SIZE)) {
-                for (Edge edge : new PageDataIterable<>(link -> edgeService.findEdgesByTenantIdAndEntityId(tenantId, ruleChainId, link), DEFAULT_PAGE_SIZE)) {
+                if (edge.getRootRuleChainId() != null && edge.getRootRuleChainId().equals(ruleChainId)) {
-                    if (edge.getRootRuleChainId() != null && edge.getRootRuleChainId().equals(ruleChainId)) {
+                    throw new DataValidationException("Can't delete rule chain that is root for edge [" + edge.getName() + "]. Please assign another root rule chain first to the edge!");
-                        throw new DataValidationException("Can't delete rule chain that is root for edge [" + edge.getName() + "]. Please assign another root rule chain first to the edge!");
-                    }
                 }
             }
         }
@@ -457,6 +458,9 @@ public class BaseRuleChainService extends AbstractEntityService implements RuleC
     public void deleteEntity(TenantId tenantId, EntityId id, boolean force) {
         if (force) {
             RuleChain ruleChain = findRuleChainById(tenantId, (RuleChainId) id);
+            if (ruleChain == null) {
+                return;
+            }
             checkRuleNodesAndDelete(tenantId, ruleChain, null);
         } else {
             deleteRuleChainById(tenantId, (RuleChainId) id);

pom.xml

@@ -105,7 +105,7 @@
             org/thingsboard/server/extensions/core/plugin/telemetry/gen/**/*
         </sonar.exclusions>
         <elasticsearch.version>8.13.2</elasticsearch.version>
-        <delight-nashorn-sandbox.version>0.4.2</delight-nashorn-sandbox.version>
+        <delight-nashorn-sandbox.version>0.4.5</delight-nashorn-sandbox.version>
         <nashorn-core.version>15.4</nashorn-core.version>
         <!-- IMPORTANT: If you change the version of the kafka client, make sure to synchronize our overwritten implementation of the
         org.apache.kafka.common.network.NetworkReceive class in the application module. It addresses the issue https://issues.apache.org/jira/browse/KAFKA-4090.

rule-engine/rule-engine-components/src/main/java/org/thingsboard/rule/engine/rest/TbHttpClient.java

@@ -118,8 +118,8 @@ public class TbHttpClient {
                             o.username(proxyUser).password(u -> proxyPassword);
                         }
                     });
-                    SslContext sslContext = SslContextBuilder.forClient().build();
+                    SslContext sslContext = config.getCredentials().initSslContext();
-                    httpClient.secure(t -> t.sslContext(sslContext));
+                    httpClient = httpClient.secure(t -> t.sslContext(sslContext));
                 }
             } else if (!config.isUseSimpleClientHttpFactory()) {
                 if (CredentialsType.CERT_PEM == config.getCredentials().getType()) {

transport/http/src/main/resources/tb-http-transport.yml

@@ -170,6 +170,8 @@ transport:
     request_timeout: "${HTTP_REQUEST_TIMEOUT:60000}"
     # HTTP maximum request processing timeout in milliseconds
     max_request_timeout: "${HTTP_MAX_REQUEST_TIMEOUT:300000}"
+    # Maximum request size
+    max_payload_size: "${HTTP_MAX_PAYLOAD_SIZE:65536}" # max payload size in bytes
   sessions:
     # Session inactivity timeout is a global configuration parameter that defines how long the device transport session will be opened after the last message arrives from the device.
     # The parameter value is in milliseconds.