From 826e9d8cc668444ccfc14da8a33ca981393bc2c5 Mon Sep 17 00:00:00 2001
From: "Brian C. Lane" <bcl@redhat.com>
Date: Fri, 9 Sep 2022 10:18:18 -0700
Subject: [PATCH] osbuild-composer: Set ReadHeaderTimeout to 5s

This satisfies the linter complaint about potential Slowloris attack
where headers are read slowly in an attempt to DoS the server.

The uses of ListenAndServe are only for testing purposes and are not run
in the production server so ignore the lint errors in
osbuild-mock-openid-provider.
---
 cmd/osbuild-composer/composer.go         | 15 +++++++++------
 cmd/osbuild-mock-openid-provider/main.go |  1 +
 internal/weldr/api.go                    |  5 ++++-
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/cmd/osbuild-composer/composer.go b/cmd/osbuild-composer/composer.go
index d763bb441..71a1cb10e 100644
--- a/cmd/osbuild-composer/composer.go
+++ b/cmd/osbuild-composer/composer.go
@@ -220,8 +220,9 @@ func (c *Composer) Start() error {
 
 	if c.localWorkerListener != nil {
 		localWorkerAPI = &http.Server{
-			ErrorLog: c.logger,
-			Handler:  c.workers.Handler(),
+			ErrorLog:          c.logger,
+			Handler:           c.workers.Handler(),
+			ReadHeaderTimeout: 5 * time.Second,
 		}
 
 		go func() {
@@ -251,8 +252,9 @@ func (c *Composer) Start() error {
 			}
 		}
 		remoteWorkerAPI = &http.Server{
-			ErrorLog: c.logger,
-			Handler:  handler,
+			ErrorLog:          c.logger,
+			Handler:           handler,
+			ReadHeaderTimeout: 5 * time.Second,
 		}
 
 		go func() {
@@ -296,8 +298,9 @@ func (c *Composer) Start() error {
 		}
 
 		composerAPI = &http.Server{
-			ErrorLog: c.logger,
-			Handler:  handler,
+			ErrorLog:          c.logger,
+			Handler:           handler,
+			ReadHeaderTimeout: 5 * time.Second,
 		}
 
 		go func() {
diff --git a/cmd/osbuild-mock-openid-provider/main.go b/cmd/osbuild-mock-openid-provider/main.go
index 7f5bea27b..88e5051b8 100644
--- a/cmd/osbuild-mock-openid-provider/main.go
+++ b/cmd/osbuild-mock-openid-provider/main.go
@@ -149,6 +149,7 @@ func main() {
 		w.Header().Set("Content-Type", "application/json")
 	})
 
+	//nolint:gosec
 	if tlsCert != "" && tlsKey != "" {
 		log.Fatal(http.ListenAndServeTLS(addr, tlsCert, tlsKey, mux))
 	} else {
diff --git a/internal/weldr/api.go b/internal/weldr/api.go
index 9c432d5a6..73c7dd5f5 100644
--- a/internal/weldr/api.go
+++ b/internal/weldr/api.go
@@ -276,7 +276,10 @@ func setupRouter(api *API) *API {
 }
 
 func (api *API) Serve(listener net.Listener) error {
-	api.server = http.Server{Handler: api}
+	api.server = http.Server{
+		Handler:           api,
+		ReadHeaderTimeout: 5 * time.Second,
+	}
 
 	err := api.server.Serve(listener)
 	if err != nil && err != http.ErrServerClosed {