Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2026-01-18 06:41:18 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix(lint): address G114 gosec findings in ready, pprof, and health plugins (#7798)

Browse Source 
Replace http.Serve() with http.Server{} configured with timeouts to
address G114 gosec findings (HTTP server without timeouts). This
prevents potential slowloris attacks and resource exhaustion.

Changes:
- Add ReadTimeout, WriteTimeout, IdleTimeout (5s each) to HTTP servers
- Use srv.Shutdown(ctx) for graceful shutdown instead of ln.Close()
- Follow existing pattern from plugin/metrics

Fixes part of #7793

Signed-off-by: Azeez Syed <syedazeez337@gmail.com>
This commit is contained in:
Syed Azeez
2026-01-01 14:55:37 +05:30
committed by GitHub
parent 7b38eb8625
commit 6dca5b26d1
3 changed files with 59 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
plugin/health/health.go
View File

@@ -22,12 +22,15 @@ type health struct {
healthURI *url.URL healthURI *url.URL
ln net.Listener ln net.Listener
srv *http.Server
nlSetup bool nlSetup bool
mux *http.ServeMux mux *http.ServeMux
stop context.CancelFunc stop context.CancelFunc
} }
const shutdownTimeout = 5 * time.Second
func (h *health) OnStartup() error { func (h *health) OnStartup() error {
if h.Addr == "" { if h.Addr == "" {
h.Addr = ":8080" h.Addr = ":8080"
@@ -63,8 +66,14 @@ func (h *health) OnStartup() error {
ctx := context.Background() ctx := context.Background()
ctx, h.stop = context.WithCancel(ctx) ctx, h.stop = context.WithCancel(ctx)
// #nosec G114 -- TODO h.srv = &http.Server{
go func() { http.Serve(h.ln, h.mux) }() Handler: h.mux,
ReadTimeout: 5 * time.Second,
WriteTimeout: 5 * time.Second,
IdleTimeout: 5 * time.Second,
}
go func() { h.srv.Serve(h.ln) }()
go func() { h.overloaded(ctx) }() go func() { h.overloaded(ctx) }()
return nil return nil
@@ -82,7 +91,11 @@ func (h *health) OnFinalShutdown() error {
h.stop() h.stop()
h.ln.Close() ctx, cancel := context.WithTimeout(context.Background(), shutdownTimeout)
defer cancel()
if err := h.srv.Shutdown(ctx); err != nil {
log.Infof("Failed to stop health http server: %s", err)
}
h.nlSetup = false h.nlSetup = false
return nil return nil
} }
@@ -94,7 +107,11 @@ func (h *health) OnReload() error {
h.stop() h.stop()
h.ln.Close() ctx, cancel := context.WithTimeout(context.Background(), shutdownTimeout)
defer cancel()
if err := h.srv.Shutdown(ctx); err != nil {
log.Infof("Failed to stop health http server: %s", err)
}
h.nlSetup = false h.nlSetup = false
return nil return nil
} }

26
plugin/pprof/pprof.go
View File

@@ -3,10 +3,12 @@
package pprof package pprof
import ( import (
"context"
"net" "net"
"net/http" "net/http"
pp "net/http/pprof" pp "net/http/pprof"
"runtime" "runtime"
"time"
"github.com/coredns/coredns/plugin/pkg/reuseport" "github.com/coredns/coredns/plugin/pkg/reuseport"
) )
@@ -15,9 +17,12 @@ type handler struct {
addr string addr string
rateBloc int rateBloc int
ln net.Listener ln net.Listener
srv *http.Server
mux *http.ServeMux mux *http.ServeMux
} }
const shutdownTimeout = 5 * time.Second
func (h *handler) Startup() error { func (h *handler) Startup() error {
// Reloading the plugin without changing the listening address results // Reloading the plugin without changing the listening address results
// in an error unless we reuse the port because Startup is called for // in an error unless we reuse the port because Startup is called for
@@ -42,16 +47,25 @@ func (h *handler) Startup() error {
runtime.SetBlockProfileRate(h.rateBloc) runtime.SetBlockProfileRate(h.rateBloc)
go func() { h.srv = &http.Server{
// #nosec G114 -- TODO Handler: h.mux,
http.Serve(h.ln, h.mux) ReadTimeout: 5 * time.Second,
}() WriteTimeout: 5 * time.Second,
IdleTimeout: 5 * time.Second,
}
go func() { h.srv.Serve(h.ln) }()
return nil return nil
} }
func (h *handler) Shutdown() error { func (h *handler) Shutdown() error {
if h.ln != nil { if h.srv != nil {
return h.ln.Close() ctx, cancel := context.WithTimeout(context.Background(), shutdownTimeout)
defer cancel()
if err := h.srv.Shutdown(ctx); err != nil {
log.Infof("Failed to stop pprof http server: %s", err)
return err
}
} }
return nil return nil
} }

21
plugin/ready/ready.go
View File

@@ -5,10 +5,12 @@
package ready package ready
import ( import (
"context"
"io" "io"
"net" "net"
"net/http" "net/http"
"sync" "sync"
"time"
clog "github.com/coredns/coredns/plugin/pkg/log" clog "github.com/coredns/coredns/plugin/pkg/log"
"github.com/coredns/coredns/plugin/pkg/reuseport" "github.com/coredns/coredns/plugin/pkg/reuseport"
@@ -26,10 +28,13 @@ type ready struct {
sync.RWMutex sync.RWMutex
ln net.Listener ln net.Listener
srv *http.Server
done bool done bool
mux *http.ServeMux mux *http.ServeMux
} }
const shutdownTimeout = 5 * time.Second
func (rd *ready) onStartup() error { func (rd *ready) onStartup() error {
ln, err := reuseport.Listen("tcp", rd.Addr) ln, err := reuseport.Listen("tcp", rd.Addr)
if err != nil { if err != nil {
@@ -61,8 +66,14 @@ func (rd *ready) onStartup() error {
io.WriteString(w, notReadyPlugins) io.WriteString(w, notReadyPlugins)
}) })
// #nosec G114 -- TODO rd.srv = &http.Server{
go func() { http.Serve(rd.ln, rd.mux) }() Handler: rd.mux,
ReadTimeout: 5 * time.Second,
WriteTimeout: 5 * time.Second,
IdleTimeout: 5 * time.Second,
}
go func() { rd.srv.Serve(rd.ln) }()
return nil return nil
} }
@@ -76,7 +87,11 @@ func (rd *ready) onFinalShutdown() error {
uniqAddr.Unset(rd.Addr) uniqAddr.Unset(rd.Addr)
rd.ln.Close() ctx, cancel := context.WithTimeout(context.Background(), shutdownTimeout)
defer cancel()
if err := rd.srv.Shutdown(ctx); err != nil {
log.Infof("Failed to stop ready http server: %s", err)
}
rd.done = false rd.done = false
return nil return nil
} }