Skip to content

Fix HTTP server timeout exposure and XSS in monitoring exporter#1007

Merged
or-else merged 2 commits into
develfrom
copilot/scan-repository-for-security-vulnerabilities
Jul 5, 2026
Merged

Fix HTTP server timeout exposure and XSS in monitoring exporter#1007
or-else merged 2 commits into
develfrom
copilot/scan-repository-for-security-vulnerabilities

Conversation

Copilot AI commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Four security vulnerabilities identified by gosec scan: two Slowloris-susceptible HTTP servers, one XSS injection point, and use of math/rand where crypto/rand was already available.

Changes

  • server/http.go — HTTP→HTTPS redirect server used bare http.ListenAndServe with no timeouts. Replaced with http.Server carrying ReadHeaderTimeout: 10s / IdleTimeout: 30s / WriteTimeout: 90s, matching the main server config.

  • monitoring/exporter/main.go — Same no-timeout issue on the exporter server. Also, the /push endpoint embedded err.Error() directly into an HTML response:

    // Before — XSS if error string contains attacker-influenced content
    w.Write([]byte(`<pre>` + msg + `</pre>`))
    
    // After
    w.Write([]byte(`<pre>` + html.EscapeString(msg) + `</pre>`))
  • server/validate/email/validate.gorandomBoundary() called math/rand.Read despite crypto/rand already being imported for OTP generation. Switched to crand.Read with error handling (time-based fallback on entropy failure).

Copilot AI changed the title Fix security vulnerabilities found by gosec scan Fix HTTP server timeout exposure and XSS in monitoring exporter Jul 5, 2026
Copilot AI requested a review from or-else July 5, 2026 12:42
@or-else or-else marked this pull request as ready for review July 5, 2026 12:48
Copilot AI review requested due to automatic review settings July 5, 2026 12:48
@or-else or-else merged commit 3b4d275 into devel Jul 5, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses security findings from gosec by hardening HTTP server configurations against Slowloris-style attacks, mitigating an XSS vector in the monitoring exporter, and using crypto/rand for boundary generation where appropriate.

Changes:

  • Replaced a bare http.ListenAndServe HTTP→HTTPS redirect listener with an http.Server configured with timeouts and header limits.
  • Escaped error output in the exporter’s /push HTML response and replaced ListenAndServe with a timeout-configured http.Server.
  • Updated email validator boundary generation to use crypto/rand with a time-based fallback on entropy failure.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.

File Description
server/validate/email/validate.go Switches boundary generation from math/rand to crypto/rand with error handling.
server/http.go Hardens the HTTP→HTTPS redirect server by using http.Server timeouts/header limits.
monitoring/exporter/main.go Escapes HTML in /push output and adds timeouts to the exporter HTTP server.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread server/http.go
Comment on lines 64 to 76
go func() {
if err := http.ListenAndServe(globals.tlsRedirectHTTP, tlsRedirect(addr)); err != nil && err != http.ErrServerClosed {
redirectServer := &http.Server{
Addr: globals.tlsRedirectHTTP,
Handler: tlsRedirect(addr),
ReadHeaderTimeout: 10 * time.Second,
IdleTimeout: 30 * time.Second,
WriteTimeout: 90 * time.Second,
MaxHeaderBytes: 1 << 14,
}
if err := redirectServer.ListenAndServe(); err != nil && err != http.ErrServerClosed {
logs.Info.Println("HTTP redirect failed:", err)
}
}()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants