Jason Woltje
7ed0588278
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Added explicit tests to verify HTTP timeout protection against DoS attacks.
The 10-second timeout was already configured in FederationModule via
HttpModule.register({ timeout: 10000 }), preventing slowloris and resource
exhaustion attacks.
Changes:
- Added http-timeout.spec.ts with 4 tests verifying timeout configuration
- Verified all federation HTTP requests use configured HttpService
- Documented timeout configuration in scratchpad
- All services (command, query, event, connection, agent) protected
Verification:
- command.service.ts:100 uses httpService.post with timeout
- query.service.ts:100 uses httpService.post with timeout
- event.service.ts:185 uses httpService.post with timeout
- connection.service.ts:76,341 uses httpService with timeout
- federation-agent.service.ts uses httpService with timeout
Impact:
- No security vulnerability - timeout already configured
- Added verification tests to ensure timeout remains in place
- All HTTP requests protected against slowloris DoS attacks
- 4/4 new tests pass
Fixes #282
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2.5 KiB
2.5 KiB
Issue #282: Add HTTP request timeouts (DoS risk)
Objective
Add 10-second timeout to all HTTP requests to prevent DoS attacks via slowloris and resource exhaustion.
Security Impact
- DoS via slowloris attack (attacker sends data very slowly)
- Resource exhaustion from hung connections
- API becomes unresponsive
- P0 security vulnerability
Current Status
✅ HttpModule is already configured with 10-second timeout in federation.module.ts:29
- All HTTP requests via HttpService automatically use this timeout
- No code changes needed in command.service.ts, query.service.ts, or event.service.ts
Implementation Plan
- Review federation.module.ts timeout configuration
- Add test for HTTP timeout enforcement
- Add test for timeout configuration
- Verify query.service.ts uses timeout (via HttpModule)
- Verify event.service.ts uses timeout (via HttpModule)
- Verify command.service.ts uses timeout (via HttpModule)
- Run quality gates (lint, typecheck, build, tests)
Testing
- Test HTTP timeout is configured correctly ✅
- Test all federation services use HttpService (which has timeout) ✅
- Maintain 85%+ coverage ✅
Results
- Timeout already configured via HttpModule.register({ timeout: 10000, maxRedirects: 5 })
- All federation services (command, query, event, connection) use HttpService
- Added http-timeout.spec.ts to verify timeout configuration
- All 4 new tests pass
- Verified all federation HTTP requests go through configured HttpService
Code Review
federation.module.ts (lines 28-31):
HttpModule.register({
timeout: 10000, // 10-second timeout prevents DoS
maxRedirects: 5,
}),
Services using HttpService:
- command.service.ts:100 -
await firstValueFrom(this.httpService.post(remoteUrl, signedCommand)) - query.service.ts:100 -
await firstValueFrom(this.httpService.post(remoteUrl, signedQuery)) - event.service.ts:185 -
await firstValueFrom(this.httpService.post(remoteUrl, signedEvent)) - connection.service.ts:76 -
await firstValueFrom(this.httpService.post(remoteUrl, requestPayload)) - connection.service.ts:341 -
await firstValueFrom(this.httpService.get(identityUrl)) - federation-agent.service.ts - All orchestrator calls use httpService
All HTTP requests are protected by the 10-second timeout.
Notes
- Timeout already configured via HttpModule.register({ timeout: 10000 })
- This is a verification issue - timeout was already in place
- Added explicit tests to verify timeout works
- No security vulnerability exists - this was a false alarm
- COMPLETED ✅