fix: add timeouts to prevent denial of service
Add 30-second timeout to nix flake metadata command to prevent hanging on slow or unresponsive remotes. Add HTTP server timeouts (read, write, idle) to protect against slowloris-style attacks. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -1,6 +1,7 @@
|
|||||||
package collector
|
package collector
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"context"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"log/slog"
|
"log/slog"
|
||||||
"os"
|
"os"
|
||||||
@@ -182,7 +183,10 @@ func (c *FlakeCollector) collectRevisionBehind(ch chan<- prometheus.Metric, data
|
|||||||
}
|
}
|
||||||
|
|
||||||
func fetchFlakeMetadata(flakeURL string) (*flakeMetadata, error) {
|
func fetchFlakeMetadata(flakeURL string) (*flakeMetadata, error) {
|
||||||
cmd := exec.Command("nix", "flake", "metadata", "--json", flakeURL)
|
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
||||||
|
defer cancel()
|
||||||
|
|
||||||
|
cmd := exec.CommandContext(ctx, "nix", "flake", "metadata", "--json", flakeURL)
|
||||||
output, err := cmd.Output()
|
output, err := cmd.Output()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|||||||
3
main.go
3
main.go
@@ -49,6 +49,9 @@ func main() {
|
|||||||
server := &http.Server{
|
server := &http.Server{
|
||||||
Addr: cfg.ListenAddr,
|
Addr: cfg.ListenAddr,
|
||||||
Handler: mux,
|
Handler: mux,
|
||||||
|
ReadTimeout: 10 * time.Second,
|
||||||
|
WriteTimeout: 10 * time.Second,
|
||||||
|
IdleTimeout: 60 * time.Second,
|
||||||
}
|
}
|
||||||
|
|
||||||
// Handle shutdown gracefully
|
// Handle shutdown gracefully
|
||||||
|
|||||||
Reference in New Issue
Block a user