Merge branch 'security-fix-weak-timeouts' into 'master'

Fix weak timeouts

See merge request gitlab-org/security/gitlab-pages!18

3 files changed, 25 insertions, 2 deletions

diff --git a/internal/config/config.go b/internal/config/config.go
index 48bab76e..dbb88806 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -20,6 +20,7 @@ type Config struct {
 	GitLab          GitLab
 	Log             Log
 	Sentry          Sentry
+	Server          Server
 	TLS             TLS
 	Zip             ZipServing
 
@@ -138,6 +139,13 @@ type ZipServing struct {
 	HTTPClientTimeout  time.Duration
 }
 
+type Server struct {
+	ReadTimeout       time.Duration
+	ReadHeaderTimeout time.Duration
+	WriteTimeout      time.Duration
+	ListenKeepAlive   time.Duration
+}
+
 func internalGitlabServerFromFlags() string {
 	if *internalGitLabServer != "" {
 		return *internalGitLabServer
@@ -243,6 +251,12 @@ func loadConfig() (*Config, error) {
 			AllowedPaths:       []string{*pagesRoot},
 			HTTPClientTimeout:  *zipHTTPClientTimeout,
 		},
+		Server: Server{
+			ReadTimeout:       *serverReadTimeout,
+			ReadHeaderTimeout: *serverReadHeaderTimeout,
+			WriteTimeout:      *serverWriteTimeout,
+			ListenKeepAlive:   *serverKeepAlive,
+		},
 
 		// Actual listener pointers will be populated in appMain. We populate the
 		// raw strings here so that they are available in appMain
diff --git a/internal/config/flags.go b/internal/config/flags.go
index cd44692a..a5d9c221 100644
--- a/internal/config/flags.go
+++ b/internal/config/flags.go
@@ -82,6 +82,12 @@ var (
 	zipOpenTimeout       = flag.Duration("zip-open-timeout", 30*time.Second, "Zip archive open timeout")
 	zipHTTPClientTimeout = flag.Duration("zip-http-client-timeout", 30*time.Minute, "Zip HTTP client timeout")
 
+	// HTTP server timeouts
+	serverReadTimeout       = flag.Duration("server-read-timeout", 5*time.Second, "ReadTimeout is the maximum duration for reading the entire request, including the body. A zero or negative value means there will be no timeout.")
+	serverReadHeaderTimeout = flag.Duration("server-read-header-timeout", time.Second, "ReadHeaderTimeout is the amount of time allowed to read request headers. A zero or negative value means there will be no timeout.")
+	serverWriteTimeout      = flag.Duration("server-write-timeout", 30*time.Second, "WriteTimeout is the maximum duration before timing out writes of the response. A zero or negative value means there will be no timeout.")
+	serverKeepAlive         = flag.Duration("server-keep-alive", 15*time.Second, "KeepAlive specifies the keep-alive period for network connections accepted by this listener. If zero, keep-alives are enabled if supported by the protocol and operating system. If negative, keep-alives are disabled.")
+
 	disableCrossOriginRequests = flag.Bool("disable-cross-origin-requests", false, "Disable cross-origin requests")
 
 	showVersion = flag.Bool("version", false, "Show version")
diff --git a/server.go b/server.go
index b5aecc37..9a647864 100644
--- a/server.go
+++ b/server.go
@@ -7,7 +7,6 @@ import (
 	stdlog "log"
 	"net"
 	"net/http"
-	"time"
 
 	"github.com/pires/go-proxyproto"
 	"github.com/sirupsen/logrus"
@@ -40,8 +39,12 @@ func (a *theApp) listenAndServe(server *http.Server, addr string, h http.Handler
 		server.TLSConfig.NextProtos = append(server.TLSConfig.NextProtos, "h2")
 	}
 
+	server.ReadTimeout = a.config.Server.ReadTimeout
+	server.ReadHeaderTimeout = a.config.Server.ReadHeaderTimeout
+	server.WriteTimeout = a.config.Server.WriteTimeout
+
 	lc := net.ListenConfig{
-		KeepAlive: 3 * time.Minute,
+		KeepAlive: a.config.Server.ListenKeepAlive,
 	}
 
 	l, err := lc.Listen(context.Background(), "tcp", addr)