diff options
| author | Vladimir Shushlin <vshushlin@gitlab.com> | 2022-03-18 18:24:58 +0300 |
|---|---|---|
| committer | Vladimir Shushlin <vshushlin@gitlab.com> | 2022-03-18 18:24:58 +0300 |
| commit | 86e0802f651c474fdd7e9fa3edd3c5df7170d5de (patch) | |
| tree | f443c17bd725a6fa20212e60526de2f258664b90 /internal | |
| parent | 0a194fef16d007b172980a8961f344fa4a440b39 (diff) | |
| parent | 8bd2398e301877a98f8efe3738861a7d96b87d7f (diff) | |
Merge branch 'security-fix-weak-timeouts-1-54' into '1-54-stable'
Fix weak timeouts
See merge request gitlab-org/security/gitlab-pages!20
Diffstat (limited to 'internal')
| -rw-r--r-- | internal/config/config.go | 14 | ||||
| -rw-r--r-- | internal/config/flags.go | 6 |
2 files changed, 20 insertions, 0 deletions
diff --git a/internal/config/config.go b/internal/config/config.go index 3bb7b126..2e2c99f4 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -22,6 +22,7 @@ type Config struct { GitLab GitLab Log Log Sentry Sentry + Server Server TLS TLS Zip ZipServing @@ -130,6 +131,13 @@ type ZipServing struct { AllowedPaths []string } +type Server struct { + ReadTimeout time.Duration + ReadHeaderTimeout time.Duration + WriteTimeout time.Duration + ListenKeepAlive time.Duration +} + func internalGitlabServerFromFlags() string { if *internalGitLabServer != "" { return *internalGitLabServer @@ -227,6 +235,12 @@ func loadConfig() (*Config, error) { OpenTimeout: *zipOpenTimeout, AllowedPaths: []string{*pagesRoot}, }, + Server: Server{ + ReadTimeout: *serverReadTimeout, + ReadHeaderTimeout: *serverReadHeaderTimeout, + WriteTimeout: *serverWriteTimeout, + ListenKeepAlive: *serverKeepAlive, + }, // Actual listener pointers will be populated in appMain. We populate the // raw strings here so that they are available in appMain diff --git a/internal/config/flags.go b/internal/config/flags.go index 93228827..d78c043e 100644 --- a/internal/config/flags.go +++ b/internal/config/flags.go @@ -62,6 +62,12 @@ var ( zipCacheRefresh = flag.Duration("zip-cache-refresh", 30*time.Second, "Zip serving archive cache refresh interval") zipOpenTimeout = flag.Duration("zip-open-timeout", 30*time.Second, "Zip archive open timeout") + // HTTP server timeouts + serverReadTimeout = flag.Duration("server-read-timeout", 5*time.Second, "ReadTimeout is the maximum duration for reading the entire request, including the body. A zero or negative value means there will be no timeout.") + serverReadHeaderTimeout = flag.Duration("server-read-header-timeout", time.Second, "ReadHeaderTimeout is the amount of time allowed to read request headers. A zero or negative value means there will be no timeout.") + serverWriteTimeout = flag.Duration("server-write-timeout", 30*time.Second, "WriteTimeout is the maximum duration before timing out writes of the response. A zero or negative value means there will be no timeout.") + serverKeepAlive = flag.Duration("server-keep-alive", 15*time.Second, "KeepAlive specifies the keep-alive period for network connections accepted by this listener. If zero, keep-alives are enabled if supported by the protocol and operating system. If negative, keep-alives are disabled.") + disableCrossOriginRequests = flag.Bool("disable-cross-origin-requests", false, "Disable cross-origin requests") showVersion = flag.Bool("version", false, "Show version") |