diff options
author | Vladimir Shushlin <vshushlin@gitlab.com> | 2022-04-01 10:55:29 +0300 |
---|---|---|
committer | Vladimir Shushlin <vshushlin@gitlab.com> | 2022-04-01 10:55:29 +0300 |
commit | e1f1effa23c520d3b8b717d831ccab7ba3dd494f (patch) | |
tree | 5cbf101d9b80855bf007ea2cab74a7ac44a518c1 | |
parent | 1c7ed827db6ede4dab91ef8b8fef239e3bed5dd5 (diff) | |
parent | 43e42a8b797732a013f4c01cc0193643bff614e0 (diff) |
Merge branch 'security-fix-weak-timeouts' into 'master'
Fix weak timeouts
See merge request gitlab-org/security/gitlab-pages!18
-rw-r--r-- | internal/config/config.go | 14 | ||||
-rw-r--r-- | internal/config/flags.go | 6 | ||||
-rw-r--r-- | server.go | 7 |
3 files changed, 25 insertions, 2 deletions
diff --git a/internal/config/config.go b/internal/config/config.go index 48bab76e..dbb88806 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -20,6 +20,7 @@ type Config struct { GitLab GitLab Log Log Sentry Sentry + Server Server TLS TLS Zip ZipServing @@ -138,6 +139,13 @@ type ZipServing struct { HTTPClientTimeout time.Duration } +type Server struct { + ReadTimeout time.Duration + ReadHeaderTimeout time.Duration + WriteTimeout time.Duration + ListenKeepAlive time.Duration +} + func internalGitlabServerFromFlags() string { if *internalGitLabServer != "" { return *internalGitLabServer @@ -243,6 +251,12 @@ func loadConfig() (*Config, error) { AllowedPaths: []string{*pagesRoot}, HTTPClientTimeout: *zipHTTPClientTimeout, }, + Server: Server{ + ReadTimeout: *serverReadTimeout, + ReadHeaderTimeout: *serverReadHeaderTimeout, + WriteTimeout: *serverWriteTimeout, + ListenKeepAlive: *serverKeepAlive, + }, // Actual listener pointers will be populated in appMain. We populate the // raw strings here so that they are available in appMain diff --git a/internal/config/flags.go b/internal/config/flags.go index cd44692a..a5d9c221 100644 --- a/internal/config/flags.go +++ b/internal/config/flags.go @@ -82,6 +82,12 @@ var ( zipOpenTimeout = flag.Duration("zip-open-timeout", 30*time.Second, "Zip archive open timeout") zipHTTPClientTimeout = flag.Duration("zip-http-client-timeout", 30*time.Minute, "Zip HTTP client timeout") + // HTTP server timeouts + serverReadTimeout = flag.Duration("server-read-timeout", 5*time.Second, "ReadTimeout is the maximum duration for reading the entire request, including the body. A zero or negative value means there will be no timeout.") + serverReadHeaderTimeout = flag.Duration("server-read-header-timeout", time.Second, "ReadHeaderTimeout is the amount of time allowed to read request headers. A zero or negative value means there will be no timeout.") + serverWriteTimeout = flag.Duration("server-write-timeout", 30*time.Second, "WriteTimeout is the maximum duration before timing out writes of the response. A zero or negative value means there will be no timeout.") + serverKeepAlive = flag.Duration("server-keep-alive", 15*time.Second, "KeepAlive specifies the keep-alive period for network connections accepted by this listener. If zero, keep-alives are enabled if supported by the protocol and operating system. If negative, keep-alives are disabled.") + disableCrossOriginRequests = flag.Bool("disable-cross-origin-requests", false, "Disable cross-origin requests") showVersion = flag.Bool("version", false, "Show version") @@ -7,7 +7,6 @@ import ( stdlog "log" "net" "net/http" - "time" "github.com/pires/go-proxyproto" "github.com/sirupsen/logrus" @@ -40,8 +39,12 @@ func (a *theApp) listenAndServe(server *http.Server, addr string, h http.Handler server.TLSConfig.NextProtos = append(server.TLSConfig.NextProtos, "h2") } + server.ReadTimeout = a.config.Server.ReadTimeout + server.ReadHeaderTimeout = a.config.Server.ReadHeaderTimeout + server.WriteTimeout = a.config.Server.WriteTimeout + lc := net.ListenConfig{ - KeepAlive: 3 * time.Minute, + KeepAlive: a.config.Server.ListenKeepAlive, } l, err := lc.Listen(context.Background(), "tcp", addr) |