Skip to content

fix: harden HTTP servers with timeouts and request body size limit#107

Open
danilaverbena wants to merge 1 commit into
base:mainfrom
danilaverbena:fix/http-hardening
Open

fix: harden HTTP servers with timeouts and request body size limit#107
danilaverbena wants to merge 1 commit into
base:mainfrom
danilaverbena:fix/http-hardening

Conversation

@danilaverbena

Copy link
Copy Markdown

Description

Two hardening fixes for the HTTP servers in op-enclave:

1. HTTP timeouts (server + enclave)

Both cmd/server/main.go and cmd/enclave/main.go used http.ListenAndServe() which sets zero timeouts by default. An attacker can open slow connections (slowloris) and exhaust server resources.

Fix: Replace with http.Server with explicit ReadHeaderTimeout: 10s, ReadTimeout: 30s, WriteTimeout: 30-60s, and IdleTimeout: 60s.

2. Request body size limit (server)

cmd/server/main.go:31 reads the request body with io.ReadAll(r.Body) without any size limit, allowing memory exhaustion via oversized POST bodies.

Fix: Wrap with http.MaxBytesReader(w, r.Body, 1MB) before reading.

Impact

These are DoS vulnerabilities in the HTTP proxy facing external connections (:7333) and the enclave fallback HTTP server (:1234).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant