http: add requestTimeout

This commits introduces a new http.Server option called requestTimeout
with a default value in milliseconds of 0.

If requestTimeout is set to a positive value, the server will start a new
timer set to expire in requestTimeout milliseconds when a new connection
is established. The timer is also set again if new requests after the
first are received on the socket (this handles pipelining and keep-alive
cases).
The timer is cancelled when:

1. the request body is completely received by the server.
2. the response is completed. This handles the case where the
application responds to the client without consuming the request body.
3. the connection is upgraded, like in the WebSocket case.

If the timer expires, then the server responds with status code 408 and
closes the connection.

CVE-2020-8251

PR-URL: https://github.com/nodejs-private/node-private/pull/208
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Mary Marchini <oss@mmarchini.me>
Co-Authored-By: Paolo Insogna <paolo@cowtech.it>
Co-Authored-By: Robert Nagy <ronagy@icloud.com>

3 files changed, 32 insertions, 0 deletions

diff --git a/doc/api/errors.md b/doc/api/errors.md
index db56c571e9c..98ca5c17a8f 100644
--- a/doc/api/errors.md
+++ b/doc/api/errors.md
@@ -940,6 +940,11 @@ allowed size for a `Buffer`.
 An invalid symlink type was passed to the [`fs.symlink()`][] or
 [`fs.symlinkSync()`][] methods.
 
+<a id="ERR_HTTP_REQUEST_TIMEOUT"></a>
+### `ERR_HTTP_REQUEST_TIMEOUT`
+
+The client has not sent the entire request within the allowed time.
+
 <a id="ERR_HTTP_HEADERS_SENT"></a>
 ### `ERR_HTTP_HEADERS_SENT`
 
diff --git a/doc/api/http.md b/doc/api/http.md
index e5871ef5a8c..8945ba3fda5 100644
--- a/doc/api/http.md
+++ b/doc/api/http.md
@@ -1259,6 +1259,23 @@ added: v0.7.0
 
 Limits maximum incoming headers count. If set to 0, no limit will be applied.
 
+### `server.requestTimeout`
+<!-- YAML
+added: REPLACEME
+-->
+
+* {number} **Default:** `0`
+
+Sets the timeout value in milliseconds for receiving the entire request from
+the client.
+
+If the timeout expires, the server responds with status 408 without
+forwarding the request to the request listener and then closes the connection.
+
+It must be set to a non-zero value (e.g. 120 seconds) to proctect against
+potential Denial-of-Service attacks in case the server is deployed without a
+reverse proxy in front.
+
 ### `server.setTimeout([msecs][, callback])`
 <!-- YAML
 added: v0.9.12
diff --git a/doc/api/https.md b/doc/api/https.md
index f94bf7f4e9e..8dbe4d2f224 100644
--- a/doc/api/https.md
+++ b/doc/api/https.md
@@ -113,6 +113,15 @@ This method is identical to [`server.listen()`][] from [`net.Server`][].
 
 See [`http.Server#maxHeadersCount`][].
 
+### `server.requestTimeout`
+<!-- YAML
+added: REPLACEME
+-->
+
+* {number} **Default:** `0`
+
+See [`http.Server#requestTimeout`][].
+
 ### `server.setTimeout([msecs][, callback])`
 <!-- YAML
 added: v0.11.2
@@ -451,6 +460,7 @@ headers: max-age=0; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; p
 [`http.Server#headersTimeout`]: http.html#http_server_headerstimeout
 [`http.Server#keepAliveTimeout`]: http.html#http_server_keepalivetimeout
 [`http.Server#maxHeadersCount`]: http.html#http_server_maxheaderscount
+[`http.Server#requestTimeout`]: http.html#http_server_requesttimeout
 [`http.Server#setTimeout()`]: http.html#http_server_settimeout_msecs_callback
 [`http.Server#timeout`]: http.html#http_server_timeout
 [`http.Server`]: http.html#http_class_http_server