Merge pull request #44175 from thaJeztah/22.06_backport_fix_g112_slowlorus

[22.06 backport] set ReadHeaderTimeout to address G112: Potential Slowloris Attack (gosec)
2022-11-09 12:21:53 -05:00 · 2022-09-26 11:54:09 +02:00 · 2022-09-26 11:54:09 +02:00 · 7772535e79
commit 7772535e79
parent bebad9e22e 997ec12ec8
4 changed files with 19 additions and 5 deletions
--- a/api/server/server.go
+++ b/api/server/server.go
@ -6,6 +6,7 @@ import (
 	"net"
 	"net/http"
 	"strings"
 	"time"
 	"github.com/docker/docker/api/server/httpstatus"
 	"github.com/docker/docker/api/server/httputils"
@ -58,7 +59,8 @@ func (s *Server) Accept(addr string, listeners ...net.Listener) {
 	for _, listener := range listeners {
 		httpServer := &HTTPServer{
 			srv: &http.Server{
-				Addr: addr,
+				Addr:              addr,
 				ReadHeaderTimeout: 5 * time.Minute, // "G112: Potential Slowloris Attack (gosec)"; not a real concern for our use, so setting a long timeout.
 			},
 			l: listener,
 		}
--- a/cmd/dockerd/metrics.go
+++ b/cmd/dockerd/metrics.go
@ -4,6 +4,7 @@ import (
 	"net"
 	"net/http"
 	"strings"
 	"time"
 	metrics "github.com/docker/go-metrics"
 	"github.com/sirupsen/logrus"
@ -24,7 +25,11 @@ func startMetricsServer(addr string) error {
 	mux.Handle("/metrics", metrics.Handler())
 	go func() {
 		logrus.Infof("metrics API listening on %s", l.Addr())
-		if err := http.Serve(l, mux); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
+		srv := &http.Server{
 			Handler:           mux,
 			ReadHeaderTimeout: 5 * time.Minute, // "G112: Potential Slowloris Attack (gosec)"; not a real concern for our use, so setting a long timeout.
 		}
 		if err := srv.Serve(l); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
 			logrus.WithError(err).Error("error serving metrics API")
 		}
 	}()
--- a/daemon/metrics_unix.go
+++ b/daemon/metrics_unix.go
@ -8,6 +8,7 @@ import (
 	"net/http"
 	"path/filepath"
 	"strings"
 	"time"
 	"github.com/docker/docker/pkg/plugingetter"
 	"github.com/docker/docker/pkg/plugins"
@ -31,7 +32,11 @@ func (daemon *Daemon) listenMetricsSock() (string, error) {
 	mux.Handle("/metrics", metrics.Handler())
 	go func() {
 		logrus.Debugf("metrics API listening on %s", l.Addr())
-		if err := http.Serve(l, mux); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
+		srv := &http.Server{
 			Handler:           mux,
 			ReadHeaderTimeout: 5 * time.Minute, // "G112: Potential Slowloris Attack (gosec)"; not a real concern for our use, so setting a long timeout.
 		}
 		if err := srv.Serve(l); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
 			logrus.WithError(err).Error("error serving metrics API")
 		}
 	}()
--- a/libnetwork/diagnostic/server.go
+++ b/libnetwork/diagnostic/server.go
@ -9,6 +9,7 @@ import (
 	"strconv"
 	"sync"
 	"sync/atomic"
 	"time"
 	"github.com/docker/docker/libnetwork/internal/caller"
 	"github.com/docker/docker/pkg/stack"
@ -94,8 +95,9 @@ func (s *Server) EnableDiagnostic(ip string, port int) {
 	logrus.Infof("Starting the diagnostic server listening on %d for commands", port)
 	srv := &http.Server{
-		Addr:    net.JoinHostPort(ip, strconv.Itoa(port)),
+		Addr:              net.JoinHostPort(ip, strconv.Itoa(port)),
-		Handler: s,
+		Handler:           s,
 		ReadHeaderTimeout: 5 * time.Minute, // "G112: Potential Slowloris Attack (gosec)"; not a real concern for our use, so setting a long timeout.
 	}
 	s.srv = srv
 	s.enable = 1