Add ReadHeaderTimeout for security

Doug Davis · Doug Davis · commit efab88dbe1f3 · 2022-12-09T17:05:28.000Z
Closes #821 Signed-off-by: Doug Davis <dug@microsoft.com>
diff --git a/v2/protocol/http/abuse_protection.go b/v2/protocol/http/abuse_protection.go
@@ -12,6 +12,7 @@ import (
 	"net/http"
 	"strconv"
 	"strings"
+	"time"
 )
 
 type WebhookConfig struct {
@@ -23,6 +24,7 @@ type WebhookConfig struct {
 
 const (
 	DefaultAllowedRate = 1000
+	DefaultTimeout     = time.Second * 600
 )
 
 // TODO: implement rate limiting.
diff --git a/v2/protocol/http/protocol_lifecycle.go b/v2/protocol/http/protocol_lifecycle.go
@@ -38,8 +38,10 @@ func (p *Protocol) OpenInbound(ctx context.Context) error {
 	}
 
 	p.server = &http.Server{
-		Addr:    listener.Addr().String(),
-		Handler: attachMiddleware(p.Handler, p.middleware),
+		Addr:         listener.Addr().String(),
+		Handler:      attachMiddleware(p.Handler, p.middleware),
+		ReadTimeout:  DefaultTimeout,
+		WriteTimeout: DefaultTimeout,
 	}
 
 	// Shutdown

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ import (`
`12`	`12`	`"net/http"`
`13`	`13`	`"strconv"`
`14`	`14`	`"strings"`
	`15`	`+ "time"`
`15`	`16`	`)`
`16`	`17`
`17`	`18`	`type WebhookConfig struct {`
`@@ -23,6 +24,7 @@ type WebhookConfig struct {`
`23`	`24`
`24`	`25`	`const (`
`25`	`26`	`DefaultAllowedRate = 1000`
	`27`	`+ DefaultTimeout = time.Second * 600`
`26`	`28`	`)`
`27`	`29`
`28`	`30`	`// TODO: implement rate limiting.`
Original file line number	Diff line number	Diff line change
`@@ -38,8 +38,10 @@ func (p *Protocol) OpenInbound(ctx context.Context) error {`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`p.server = &http.Server{`
`41`		`- Addr: listener.Addr().String(),`
`42`		`- Handler: attachMiddleware(p.Handler, p.middleware),`
	`41`	`+ Addr: listener.Addr().String(),`
	`42`	`+ Handler: attachMiddleware(p.Handler, p.middleware),`
	`43`	`+ ReadTimeout: DefaultTimeout,`
	`44`	`+ WriteTimeout: DefaultTimeout,`
`43`	`45`	`}`
`44`	`46`
`45`	`47`	`// Shutdown`