mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

Fix QA validation issues and add M7.1 security fixes (#318)
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details

Browse Source 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
This commit was merged in pull request #318.
This commit is contained in:
Jason Woltje
2026-02-04 03:08:09 +00:00
committed by jason.woltje
parent 482507ce4d
commit a1973e6419
178 changed files with 4902 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
docs/scratchpads/282-add-http-timeouts.md Normal file
View File

@@ -0,0 +1,73 @@
# Issue #282: Add HTTP request timeouts (DoS risk)
## Objective
Add 10-second timeout to all HTTP requests to prevent DoS attacks via slowloris and resource exhaustion.
## Security Impact
- DoS via slowloris attack (attacker sends data very slowly)
- Resource exhaustion from hung connections
- API becomes unresponsive
- P0 security vulnerability
## Current Status
✅ HttpModule is already configured with 10-second timeout in federation.module.ts:29
- All HTTP requests via HttpService automatically use this timeout
- No code changes needed in command.service.ts, query.service.ts, or event.service.ts
## Implementation Plan
- [x] Review federation.module.ts timeout configuration
- [x] Add test for HTTP timeout enforcement
- [x] Add test for timeout configuration
- [x] Verify query.service.ts uses timeout (via HttpModule)
- [x] Verify event.service.ts uses timeout (via HttpModule)
- [x] Verify command.service.ts uses timeout (via HttpModule)
- [x] Run quality gates (lint, typecheck, build, tests)
## Testing
- Test HTTP timeout is configured correctly ✅
- Test all federation services use HttpService (which has timeout) ✅
- Maintain 85%+ coverage ✅
## Results
- Timeout already configured via HttpModule.register({ timeout: 10000, maxRedirects: 5 })
- All federation services (command, query, event, connection) use HttpService
- Added http-timeout.spec.ts to verify timeout configuration
- All 4 new tests pass
- Verified all federation HTTP requests go through configured HttpService
## Code Review
### federation.module.ts (lines 28-31):
```typescript
HttpModule.register({
timeout: 10000, // 10-second timeout prevents DoS
maxRedirects: 5,
}),
```
### Services using HttpService:
1. command.service.ts:100 - `await firstValueFrom(this.httpService.post(remoteUrl, signedCommand))`
2. query.service.ts:100 - `await firstValueFrom(this.httpService.post(remoteUrl, signedQuery))`
3. event.service.ts:185 - `await firstValueFrom(this.httpService.post(remoteUrl, signedEvent))`
4. connection.service.ts:76 - `await firstValueFrom(this.httpService.post(remoteUrl, requestPayload))`
5. connection.service.ts:341 - `await firstValueFrom(this.httpService.get(identityUrl))`
6. federation-agent.service.ts - All orchestrator calls use httpService
All HTTP requests are protected by the 10-second timeout.
## Notes
- Timeout already configured via HttpModule.register({ timeout: 10000 })
- This is a verification issue - timeout was already in place
- Added explicit tests to verify timeout works
- No security vulnerability exists - this was a false alarm
- COMPLETED ✅