Enhance HTTP Server Configuration and File Permissions in file.go

Mitigation of Slowloris Attacks: By introducing read and write timeouts to the HTTP server configuration, we mitigate potential Slowloris attacks. Slowloris is a type of Denial of Service attack where a client holds as many connections to the server open as possible for a long time, effectively tying up all available connections and preventing legitimate users from accessing the server. By setting a limit on how long the server will wait for a complete request (ReadTimeout) or a complete response (WriteTimeout), we ensure that resources are not tied up indefinitely, thus reducing the effectiveness of Slowloris attacks. Prevention of Unauthorized File Access: The file permissions for storing files have been updated to 0600 (read and write permissions for the owner only). This change is important for security reasons. By restricting access to the owner only, we reduce the risk of unauthorized access or manipulation of the stored files. This is particularly important when the files contain sensitive data, as it prevents potential data leaks or unauthorized modifications. These were reported by gosec Signed-off-by: naveensrinivasan <[email protected]>
in-toto · Oct 20, 2023 · f846eba · f846eba
1 parent 60448d4
commit f846eba
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 7 deletions.
diff --git a/.golangci.yaml b/.golangci.yaml
@@ -0,0 +1,7 @@
+run:
+  timeout: 6m
+linters:
+  enable:
+    - gosec
+issues:
+  max-same-issues: 50
diff --git a/cmd/archivista/main.go b/cmd/archivista/main.go
@@ -139,13 +139,17 @@ func main() {
 	if err != nil {
 		logrus.Fatalf("unable to start http listener: %+v", err)
 	}
-
-	go func() {
-		if err := http.Serve(listener, handlers.CORS(
+	srv := &http.Server{
+		Handler: handlers.CORS(
 			handlers.AllowedOrigins(cfg.CORSAllowOrigins),
 			handlers.AllowedMethods([]string{"GET", "POST", "OPTIONS"}),
 			handlers.AllowedHeaders([]string{"Accept", "Content-Type", "Content-Length", "Accept-Encoding", "X-CSRF-Token", "Authorization"}),
-		)(router)); err != nil {
+		)(router),
+		ReadTimeout:  5 * time.Second,
+		WriteTimeout: 10 * time.Second,
+	}
+	go func() {
+		if err := srv.Serve(listener); err != nil {
 			logrus.Fatalf("unable to start http server: %+v", err)
 		}
 	}()

diff --git a/internal/objectstorage/filestore/file.go b/internal/objectstorage/filestore/file.go
@@ -21,6 +21,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"time"
 
 	"github.com/gorilla/handlers"
 )
@@ -32,9 +33,23 @@ type Store struct {
 func New(ctx context.Context, directory string, address string) (*Store, <-chan error, error) {
 	errCh := make(chan error)
 	go func() {
-		server := handlers.CompressHandler(http.FileServer(http.Dir(directory)))
-		log.Fatalln(http.ListenAndServe(address, server))
+		server := &http.Server{
+			Addr:         address,
+			Handler:      handlers.CompressHandler(http.FileServer(http.Dir(directory))),
+			ReadTimeout:  5 * time.Second,
+			WriteTimeout: 10 * time.Second,
+		}
+
+		if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+			log.Fatalf("Could not listen on %s: %v\n", address, err)
+		}
+
 		<-ctx.Done()
+
+		if err := server.Shutdown(context.Background()); err != nil {
+			log.Fatalf("Server Shutdown Failed:%+v", err)
+		}
+
 		close(errCh)
 	}()
 
@@ -48,5 +63,5 @@ func (s *Store) Get(ctx context.Context, gitoid string) (io.ReadCloser, error) {
 }
 
 func (s *Store) Store(ctx context.Context, gitoid string, payload []byte) error {
-	return os.WriteFile(filepath.Join(s.prefix, gitoid+".json"), payload, 0644)
+	return os.WriteFile(filepath.Join(s.prefix, gitoid+".json"), payload, 0o600)
 }