From 858e047bff6224c90ff5d033f8adbbba01036029 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= Date: Fri, 6 Feb 2026 22:58:05 +0100 Subject: [PATCH] fix: add timeouts to prevent denial of service Add 30-second timeout to nix flake metadata command to prevent hanging on slow or unresponsive remotes. Add HTTP server timeouts (read, write, idle) to protect against slowloris-style attacks. Co-Authored-By: Claude Opus 4.5 --- collector/flake.go | 6 +++++- main.go | 7 +++++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/collector/flake.go b/collector/flake.go index c026ad1..da3dc02 100644 --- a/collector/flake.go +++ b/collector/flake.go @@ -1,6 +1,7 @@ package collector import ( + "context" "encoding/json" "log/slog" "os" @@ -182,7 +183,10 @@ func (c *FlakeCollector) collectRevisionBehind(ch chan<- prometheus.Metric, data } func fetchFlakeMetadata(flakeURL string) (*flakeMetadata, error) { - cmd := exec.Command("nix", "flake", "metadata", "--json", flakeURL) + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) + defer cancel() + + cmd := exec.CommandContext(ctx, "nix", "flake", "metadata", "--json", flakeURL) output, err := cmd.Output() if err != nil { return nil, err diff --git a/main.go b/main.go index a692b9e..edafe92 100644 --- a/main.go +++ b/main.go @@ -47,8 +47,11 @@ func main() { }) server := &http.Server{ - Addr: cfg.ListenAddr, - Handler: mux, + Addr: cfg.ListenAddr, + Handler: mux, + ReadTimeout: 10 * time.Second, + WriteTimeout: 10 * time.Second, + IdleTimeout: 60 * time.Second, } // Handle shutdown gracefully