From 9d08a57a9cd1e719ab78e6ee2b6154f857d4a073 Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Thu, 22 Sep 2022 12:13:28 +0200
Subject: [PATCH] set ReadHeaderTimeout to address G112: Potential Slowloris
 Attack (gosec)

After discussing in the maintainers meeting, we concluded that Slowloris attacks
are not a real risk other than potentially having some additional goroutines
lingering around, so setting a long timeout to satisfy the linter, and to at
least have "some" timeout.

    api/server/server.go:60:10: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
                srv: &http.Server{
                    Addr: addr,
                },
    daemon/metrics_unix.go:34:13: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
            if err := http.Serve(l, mux); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
                      ^
    cmd/dockerd/metrics.go:27:13: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
            if err := http.Serve(l, mux); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
                      ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 55fd77f7246a8113b81eb0de5644ce651db1ace0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 997ec12ec837160e28984eb22ab8eea438b32703)
Signed-off-by: Cory Snider <csnider@mirantis.com>
---
 api/server/server.go   | 4 +++-
 cmd/dockerd/metrics.go | 7 ++++++-
 daemon/metrics_unix.go | 7 ++++++-
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/api/server/server.go b/api/server/server.go
index 71dcb664c7..a1449555ec 100644
--- a/api/server/server.go
+++ b/api/server/server.go
@@ -6,6 +6,7 @@ import (
 	"net"
 	"net/http"
 	"strings"
+	"time"
 
 	"github.com/docker/docker/api/server/httpstatus"
 	"github.com/docker/docker/api/server/httputils"
@@ -57,7 +58,8 @@ func (s *Server) Accept(addr string, listeners ...net.Listener) {
 	for _, listener := range listeners {
 		httpServer := &HTTPServer{
 			srv: &http.Server{
-				Addr: addr,
+				Addr:              addr,
+				ReadHeaderTimeout: 5 * time.Minute, // "G112: Potential Slowloris Attack (gosec)"; not a real concern for our use, so setting a long timeout.
 			},
 			l: listener,
 		}
diff --git a/cmd/dockerd/metrics.go b/cmd/dockerd/metrics.go
index 4ea8321b5d..a13a5d2670 100644
--- a/cmd/dockerd/metrics.go
+++ b/cmd/dockerd/metrics.go
@@ -4,6 +4,7 @@ import (
 	"net"
 	"net/http"
 	"strings"
+	"time"
 
 	metrics "github.com/docker/go-metrics"
 	"github.com/sirupsen/logrus"
@@ -24,7 +25,11 @@ func startMetricsServer(addr string) error {
 	mux.Handle("/metrics", metrics.Handler())
 	go func() {
 		logrus.Infof("metrics API listening on %s", l.Addr())
-		if err := http.Serve(l, mux); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
+		srv := &http.Server{
+			Handler:           mux,
+			ReadHeaderTimeout: 5 * time.Minute, // "G112: Potential Slowloris Attack (gosec)"; not a real concern for our use, so setting a long timeout.
+		}
+		if err := srv.Serve(l); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
 			logrus.WithError(err).Error("error serving metrics API")
 		}
 	}()
diff --git a/daemon/metrics_unix.go b/daemon/metrics_unix.go
index 7869712541..6acc469c9c 100644
--- a/daemon/metrics_unix.go
+++ b/daemon/metrics_unix.go
@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"path/filepath"
 	"strings"
+	"time"
 
 	"github.com/docker/docker/pkg/plugingetter"
 	"github.com/docker/docker/pkg/plugins"
@@ -31,7 +32,11 @@ func (daemon *Daemon) listenMetricsSock() (string, error) {
 	mux.Handle("/metrics", metrics.Handler())
 	go func() {
 		logrus.Debugf("metrics API listening on %s", l.Addr())
-		if err := http.Serve(l, mux); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
+		srv := &http.Server{
+			Handler:           mux,
+			ReadHeaderTimeout: 5 * time.Minute, // "G112: Potential Slowloris Attack (gosec)"; not a real concern for our use, so setting a long timeout.
+		}
+		if err := srv.Serve(l); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
 			logrus.WithError(err).Error("error serving metrics API")
 		}
 	}()