Jason Woltje
a1973e6419
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>
2.5 KiB
2.5 KiB
Issue #282: Add HTTP request timeouts (DoS risk)
Objective
Add 10-second timeout to all HTTP requests to prevent DoS attacks via slowloris and resource exhaustion.
Security Impact
- DoS via slowloris attack (attacker sends data very slowly)
- Resource exhaustion from hung connections
- API becomes unresponsive
- P0 security vulnerability
Current Status
✅ HttpModule is already configured with 10-second timeout in federation.module.ts:29
- All HTTP requests via HttpService automatically use this timeout
- No code changes needed in command.service.ts, query.service.ts, or event.service.ts
Implementation Plan
- Review federation.module.ts timeout configuration
- Add test for HTTP timeout enforcement
- Add test for timeout configuration
- Verify query.service.ts uses timeout (via HttpModule)
- Verify event.service.ts uses timeout (via HttpModule)
- Verify command.service.ts uses timeout (via HttpModule)
- Run quality gates (lint, typecheck, build, tests)
Testing
- Test HTTP timeout is configured correctly ✅
- Test all federation services use HttpService (which has timeout) ✅
- Maintain 85%+ coverage ✅
Results
- Timeout already configured via HttpModule.register({ timeout: 10000, maxRedirects: 5 })
- All federation services (command, query, event, connection) use HttpService
- Added http-timeout.spec.ts to verify timeout configuration
- All 4 new tests pass
- Verified all federation HTTP requests go through configured HttpService
Code Review
federation.module.ts (lines 28-31):
HttpModule.register({
timeout: 10000, // 10-second timeout prevents DoS
maxRedirects: 5,
}),
Services using HttpService:
- command.service.ts:100 -
await firstValueFrom(this.httpService.post(remoteUrl, signedCommand)) - query.service.ts:100 -
await firstValueFrom(this.httpService.post(remoteUrl, signedQuery)) - event.service.ts:185 -
await firstValueFrom(this.httpService.post(remoteUrl, signedEvent)) - connection.service.ts:76 -
await firstValueFrom(this.httpService.post(remoteUrl, requestPayload)) - connection.service.ts:341 -
await firstValueFrom(this.httpService.get(identityUrl)) - federation-agent.service.ts - All orchestrator calls use httpService
All HTTP requests are protected by the 10-second timeout.
Notes
- Timeout already configured via HttpModule.register({ timeout: 10000 })
- This is a verification issue - timeout was already in place
- Added explicit tests to verify timeout works
- No security vulnerability exists - this was a false alarm
- COMPLETED ✅