Merge pull request #6538 from wallrj/backport-6534-to-release-1.13

[release-1.13] Mitigate potential Slowloris attacks by setting ReadHeaderTimeout in all http.Server instances
cert-manager · Dec 7, 2023 · 876e386 · 876e386
2 parents d1e2d25 + d080cec
commit 876e386
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 7 deletions.
diff --git a/cmd/cainjector/app/start.go b/cmd/cainjector/app/start.go
@@ -51,6 +51,17 @@ import (
 	"github.com/cert-manager/cert-manager/pkg/util/profiling"
 )
 
+const (
+	// This is intended to mitigate "slowloris" attacks by limiting the time a
+	// deliberately slow client can spend sending HTTP headers.
+	// This default value is copied from:
+	// * kubernetes api-server:
+	//   https://github.com/kubernetes/kubernetes/blob/9e028b40b9e970142191259effe796b3dab39828/staging/src/k8s.io/apiserver/pkg/server/secure_serving.go#L165-L173
+	// * controller-runtime:
+	//   https://github.com/kubernetes-sigs/controller-runtime/blob/1ea2be573f7887a9fbd766e9a921c5af344da6eb/pkg/internal/httpserver/server.go#L14
+	defaultReadHeaderTimeout = 32 * time.Second
+)
+
 // InjectorControllerOptions is a struct having injector controller options values
 type InjectorControllerOptions struct {
 	Logging *logs.Options
@@ -235,7 +246,8 @@ func (o InjectorControllerOptions) RunInjectorController(ctx context.Context) er
 		profiling.Install(profilerMux)
 		o.log.V(logf.InfoLevel).Info("running go profiler on", "address", o.PprofAddr)
 		server := &http.Server{
-			Handler: profilerMux,
+			Handler:           profilerMux,
+			ReadHeaderTimeout: defaultReadHeaderTimeout, // Mitigation for G112: Potential slowloris attack
 		}
 		g.Go(func() error {
 			<-gctx.Done()

diff --git a/cmd/controller/app/controller.go b/cmd/controller/app/controller.go
@@ -49,6 +49,17 @@ import (
 	"github.com/cert-manager/cert-manager/pkg/util/profiling"
 )
 
+const (
+	// This is intended to mitigate "slowloris" attacks by limiting the time a
+	// deliberately slow client can spend sending HTTP headers.
+	// This default value is copied from:
+	// * kubernetes api-server:
+	//   https://github.com/kubernetes/kubernetes/blob/9e028b40b9e970142191259effe796b3dab39828/staging/src/k8s.io/apiserver/pkg/server/secure_serving.go#L165-L173
+	// * controller-runtime:
+	//   https://github.com/kubernetes-sigs/controller-runtime/blob/1ea2be573f7887a9fbd766e9a921c5af344da6eb/pkg/internal/httpserver/server.go#L14
+	defaultReadHeaderTimeout = 32 * time.Second
+)
+
 func Run(opts *config.ControllerConfiguration, stopCh <-chan struct{}) error {
 	rootCtx, cancelContext := context.WithCancel(cmdutil.ContextWithStopCh(context.Background(), stopCh))
 	defer cancelContext()
@@ -107,7 +118,8 @@ func Run(opts *config.ControllerConfiguration, stopCh <-chan struct{}) error {
 		// Add pprof endpoints to this mux
 		profiling.Install(profilerMux)
 		profilerServer := &http.Server{
-			Handler: profilerMux,
+			Handler:           profilerMux,
+			ReadHeaderTimeout: defaultReadHeaderTimeout, // Mitigation for G112: Potential slowloris attack
 		}
 
 		g.Go(func() error {

diff --git a/pkg/issuer/acme/http/solver/solver.go b/pkg/issuer/acme/http/solver/solver.go
@@ -21,10 +21,22 @@ import (
 	"net/http"
 	"path"
 	"strings"
+	"time"
 
 	"github.com/go-logr/logr"
 )
 
+const (
+	// This is intended to mitigate "slowloris" attacks by limiting the time a
+	// deliberately slow client can spend sending HTTP headers.
+	// This default value is copied from:
+	// * kubernetes api-server:
+	//   https://github.com/kubernetes/kubernetes/blob/9e028b40b9e970142191259effe796b3dab39828/staging/src/k8s.io/apiserver/pkg/server/secure_serving.go#L165-L173
+	// * controller-runtime:
+	//   https://github.com/kubernetes-sigs/controller-runtime/blob/1ea2be573f7887a9fbd766e9a921c5af344da6eb/pkg/internal/httpserver/server.go#L14
+	defaultReadHeaderTimeout = 32 * time.Second
+)
+
 type HTTP01Solver struct {
 	ListenPort int
 
@@ -91,8 +103,9 @@ func (h *HTTP01Solver) Listen(log logr.Logger) error {
 	})
 
 	h.Server = http.Server{
-		Addr:    fmt.Sprintf(":%d", h.ListenPort),
-		Handler: handler,
+		Addr:              fmt.Sprintf(":%d", h.ListenPort),
+		Handler:           handler,
+		ReadHeaderTimeout: defaultReadHeaderTimeout, // Mitigation for G112: Potential slowloris attack
 	}
 
 	return h.Server.ListenAndServe()

diff --git a/pkg/webhook/server/server.go b/pkg/webhook/server/server.go
@@ -44,6 +44,17 @@ import (
 	servertls "github.com/cert-manager/cert-manager/pkg/webhook/server/tls"
 )
 
+const (
+	// This is intended to mitigate "slowloris" attacks by limiting the time a
+	// deliberately slow client can spend sending HTTP headers.
+	// This default value is copied from:
+	// * kubernetes api-server:
+	//   https://github.com/kubernetes/kubernetes/blob/9e028b40b9e970142191259effe796b3dab39828/staging/src/k8s.io/apiserver/pkg/server/secure_serving.go#L165-L173
+	// * controller-runtime:
+	//   https://github.com/kubernetes-sigs/controller-runtime/blob/1ea2be573f7887a9fbd766e9a921c5af344da6eb/pkg/internal/httpserver/server.go#L14
+	defaultReadHeaderTimeout = 32 * time.Second
+)
+
 var (
 	// defaultScheme is used to encode and decode the AdmissionReview and
 	// ConversionReview resources submitted to the webhook server.
@@ -135,7 +146,8 @@ func (s *Server) Run(ctx context.Context) error {
 		healthMux.HandleFunc("/livez", s.handleLivez)
 		s.log.V(logf.InfoLevel).Info("listening for insecure healthz connections", "address", s.HealthzAddr)
 		server := &http.Server{
-			Handler: healthMux,
+			Handler:           healthMux,
+			ReadHeaderTimeout: defaultReadHeaderTimeout, // Mitigation for G112: Potential slowloris attack
 		}
 		g.Go(func() error {
 			<-gctx.Done()
@@ -168,7 +180,8 @@ func (s *Server) Run(ctx context.Context) error {
 		profiling.Install(profilerMux)
 		s.log.V(logf.InfoLevel).Info("running go profiler on", "address", s.PprofAddr)
 		server := &http.Server{
-			Handler: profilerMux,
+			Handler:           profilerMux,
+			ReadHeaderTimeout: defaultReadHeaderTimeout, // Mitigation for G112: Potential slowloris attack
 		}
 		g.Go(func() error {
 			<-gctx.Done()
@@ -228,7 +241,8 @@ func (s *Server) Run(ctx context.Context) error {
 	serverMux.HandleFunc("/mutate", s.handle(s.mutate))
 	serverMux.HandleFunc("/convert", s.handle(s.convert))
 	server := &http.Server{
-		Handler: serverMux,
+		Handler:           serverMux,
+		ReadHeaderTimeout: defaultReadHeaderTimeout, // Mitigation for G112: Potential slowloris attack
 	}
 	g.Go(func() error {
 		<-gctx.Done()