[KLC-2434] bound REST slow-body reads and tighten header/body caps (GHSA-w4c6-7r69-w7j9)

fbsobreira · fbsobreira · commit 785b77ccb271 · 2026-06-01T09:58:16.000-04:00
Follow-up to KLC-2428 (slow-header fix): extend the slow-header hardening on the
shared http.Server with a slow-body defense and tighter limits:

- Add a per-request body read deadline (30s) via ResponseController.SetReadDeadline,
  applied only to body-bearing requests so the bodiless websocket handshakes
  (/log, /subscribe) are never wrapped, and cleared once the body is read so it
  never cancels a slow post-read handler.
- Gate the exemption on bodiless requests instead of an Upgrade: websocket header,
  which a client could spoof on a POST to skip the deadline.
- Set MaxHeaderBytes to 32 KiB; the previous 1 MiB matched Go's default and was a no-op.
- Lower MaxBodyBytes to 2 MiB.
- Clear the read deadline under sync.Once.

Cover the body deadline (slow-body cut, slow-handler-not-cancelled, bodiless-upgrade
skip), a live websocket round-trip through the hardened server, and an end-to-end
slow-header drop on the real seednode routes.
diff --git a/cmd/seednode/api/api_test.go b/cmd/seednode/api/api_test.go
@@ -1,7 +1,9 @@
 package api
 
 import (
+	"bufio"
 	"encoding/json"
+	"net"
 	"net/http"
 	"net/http/httptest"
 	"strings"
@@ -10,6 +12,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/klever-io/klever-go/core"
+	"github.com/klever-io/klever-go/network/api/httpserver"
 )
 
 type stubMessenger struct {
@@ -45,6 +48,41 @@ func setup(t *testing.T) (*gin.Engine, *stubMessenger) {
 	return r, stub
 }
 
+// TestSeednodeAPI_HardenedServerDropsSlowHeader serves the real seednode routes through
+// NewHardenedServer and confirms the seednode listener (the reporter's PoC path) drops a
+// slow-header connection — GHSA-w4c6-7r69-w7j9, verified end-to-end, not just wired.
+func TestSeednodeAPI_HardenedServerDropsSlowHeader(t *testing.T) {
+	r, _ := setup(t)
+
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("listen: %v", err)
+	}
+
+	srv := httpserver.NewHardenedServer(ln.Addr().String(), r.Handler())
+	srv.ReadHeaderTimeout = 200 * time.Millisecond // tighten for a fast test
+	go func() { _ = srv.Serve(ln) }()
+	defer func() { _ = srv.Close() }()
+
+	conn, err := net.Dial("tcp", ln.Addr().String())
+	if err != nil {
+		t.Fatalf("dial: %v", err)
+	}
+	defer func() { _ = conn.Close() }()
+
+	// Partial header, never terminated: the seednode listener must drop it.
+	if _, err := conn.Write([]byte("GET /node/status HTTP/1.1\r\nHost: x\r\n")); err != nil {
+		t.Fatalf("write: %v", err)
+	}
+
+	start := time.Now()
+	_ = conn.SetReadDeadline(time.Now().Add(3 * time.Second))
+	_, _ = bufio.NewReader(conn).ReadString('\n')
+	if elapsed := time.Since(start); elapsed > time.Second {
+		t.Fatalf("slow-header connection not dropped promptly: %v", elapsed)
+	}
+}
+
 func TestPeers_returnsCountsAndSortedAddresses(t *testing.T) {
 	r, _ := setup(t)
 
diff --git a/network/api/httpserver/httpserver.go b/network/api/httpserver/httpserver.go
@@ -1,61 +1,102 @@
-// Package httpserver builds the hardened *http.Server shared by both REST start
-// paths (seednode and node). Gin's Engine.Run uses http.ListenAndServe with no
-// ReadHeaderTimeout, leaving it open to slow-header connection exhaustion
-// (GHSA-w4c6-7r69-w7j9); this helper hardens both listeners identically.
+// Package httpserver builds the hardened *http.Server shared by both REST start paths
+// (seednode and node). Gin's Engine.Run uses http.ListenAndServe with no
+// ReadHeaderTimeout, leaving it open to slow-header exhaustion (GHSA-w4c6-7r69-w7j9).
 package httpserver
 
 import (
+	"io"
 	"net/http"
+	"sync"
 	"time"
 )
 
 const (
-	// ReadHeaderTimeout is the slow-header (slowloris) mitigation: it bounds the
-	// time to send the complete header. Header-only, so it is safe for the
-	// long-lived websocket streams these APIs serve (cleared before hijack).
+	// ReadHeaderTimeout bounds header read time — the slow-header (slowloris) fix.
 	ReadHeaderTimeout = 10 * time.Second
 
-	// IdleTimeout bounds how long an idle keep-alive connection stays open.
+	// BodyReadTimeout bounds body read time — the slow-body fix.
+	BodyReadTimeout = 30 * time.Second
+
+	// IdleTimeout bounds idle keep-alive connections.
 	IdleTimeout = 120 * time.Second
 
-	// MaxHeaderBytes caps request header size (Go's default, set explicitly).
-	MaxHeaderBytes = 1 << 20 // 1 MiB
+	// MaxHeaderBytes caps total request header size (Go's 1 MiB default is a no-op).
+	MaxHeaderBytes = 32 << 10 // 32 KiB
 
-	// MaxBodyBytes caps the request body. A single tx is bounded by the ~960 KiB
-	// P2P wire limit (~1.9 MiB once JSON-encoded), so 4 MiB covers the largest
-	// legitimate request with margin; bulk /transaction/broadcast is additionally
-	// bounded by an explicit tx count. Over-cap bodies are refused (400 on bind,
-	// 413 raw). Bounds body size, not read time — see the body read-deadline follow-up.
-	MaxBodyBytes = 4 << 20 // 4 MiB
+	// MaxBodyBytes caps the request body; over-cap bodies are refused (400/413).
+	MaxBodyBytes = 2 << 20 // 2 MiB
 )
 
-// NewHardenedServer returns an *http.Server for addr serving handler, hardened
-// against slow-header exhaustion and oversized bodies. ReadTimeout/WriteTimeout
-// are left unset on purpose: a whole-connection deadline would sever the
-// long-lived websocket streams these APIs serve (/log, /subscribe).
+// NewHardenedServer returns an *http.Server hardened against slow-header/slow-body
+// exhaustion. ReadTimeout/WriteTimeout are left unset: a whole-connection deadline
+// would sever the long-lived websocket streams these APIs serve (/log, /subscribe).
 func NewHardenedServer(addr string, handler http.Handler) *http.Server {
 	return &http.Server{
 		Addr:              addr,
-		Handler:           limitRequestBody(handler),
+		Handler:           guardRequestBody(handler),
 		ReadHeaderTimeout: ReadHeaderTimeout,
 		IdleTimeout:       IdleTimeout,
 		MaxHeaderBytes:    MaxHeaderBytes,
 	}
 }
 
-// limitRequestBody caps every request body at MaxBodyBytes.
-func limitRequestBody(next http.Handler) http.Handler {
-	return limitRequestBodyN(next, MaxBodyBytes)
-}
-
-// limitRequestBodyN caps each request body at limit bytes. Applied ahead of gin so
-// w is the *http.response MaxBytesReader needs to close an over-cap connection.
-// Websocket upgrades hijack the connection and never read r.Body, so are unaffected.
-func limitRequestBodyN(next http.Handler, limit int64) http.Handler {
+// guardRequestBody caps body size (MaxBodyBytes) and body read time (BodyReadTimeout).
+// Applied ahead of gin so w is the *http.response both mechanisms need.
+func guardRequestBody(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Body != nil {
-			r.Body = http.MaxBytesReader(w, r.Body, limit)
-		}
+		capRequestBody(w, r, MaxBodyBytes)
+		applyBodyReadDeadline(w, r, BodyReadTimeout)
 		next.ServeHTTP(w, r)
 	})
 }
+
+// capRequestBody limits r.Body to limit bytes.
+func capRequestBody(w http.ResponseWriter, r *http.Request, limit int64) {
+	if r.Body != nil {
+		r.Body = http.MaxBytesReader(w, r.Body, limit)
+	}
+}
+
+// applyBodyReadDeadline bounds body read time at d, clearing the deadline once the body
+// is read so it never cancels a slow post-read handler. Bodiless requests are skipped —
+// that covers the websocket handshakes (/log, /subscribe), which are bodiless GETs, and
+// leaves no Upgrade-header check for a body-bearing request to spoof.
+func applyBodyReadDeadline(w http.ResponseWriter, r *http.Request, d time.Duration) {
+	if r.Body == nil || !requestHasBody(r) {
+		return
+	}
+	rc := http.NewResponseController(w)
+	if rc.SetReadDeadline(time.Now().Add(d)) != nil {
+		return
+	}
+	r.Body = &deadlineClearingBody{ReadCloser: r.Body, rc: rc}
+}
+
+func requestHasBody(r *http.Request) bool {
+	return r.ContentLength != 0 // 0 = no body; -1 (chunked) and positive = body
+}
+
+// deadlineClearingBody clears the read deadline once the body read completes (EOF or
+// error) or the body is closed, so the deadline never cancels a later slow handler.
+type deadlineClearingBody struct {
+	io.ReadCloser
+	rc        *http.ResponseController
+	clearOnce sync.Once
+}
+
+func (b *deadlineClearingBody) clear() {
+	b.clearOnce.Do(func() { _ = b.rc.SetReadDeadline(time.Time{}) })
+}
+
+func (b *deadlineClearingBody) Read(p []byte) (int, error) {
+	n, err := b.ReadCloser.Read(p)
+	if err != nil {
+		b.clear()
+	}
+	return n, err
+}
+
+func (b *deadlineClearingBody) Close() error {
+	b.clear()
+	return b.ReadCloser.Close()
+}
diff --git a/network/api/httpserver/httpserver_test.go b/network/api/httpserver/httpserver_test.go
@@ -11,6 +11,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/gorilla/websocket"
 	"github.com/stretchr/testify/require"
 )
 
@@ -125,13 +126,14 @@ func TestNewHardenedServer_CapsRequestBody(t *testing.T) {
 
 	// Status carries the read outcome, so assertions read only the response code —
 	// no state shared across the server/test goroutines.
-	handler := limitRequestBodyN(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		capRequestBody(w, r, limit)
 		if _, err := io.ReadAll(r.Body); err != nil {
 			w.WriteHeader(http.StatusRequestEntityTooLarge)
 			return
 		}
 		w.WriteHeader(http.StatusOK)
-	}), limit)
+	})
 
 	srv := httptest.NewServer(handler)
 	defer srv.Close()
@@ -148,3 +150,157 @@ func TestNewHardenedServer_CapsRequestBody(t *testing.T) {
 	_ = resp.Body.Close()
 	require.Equal(t, http.StatusOK, resp.StatusCode, "body within the cap must be accepted")
 }
+
+// TestApplyBodyReadDeadline_CutsSlowBody: a client that completes the header, promises
+// a large body, then stalls is cut at ~BodyReadTimeout instead of pinning the connection.
+func TestApplyBodyReadDeadline_CutsSlowBody(t *testing.T) {
+	t.Parallel()
+
+	const deadline = 300 * time.Millisecond
+
+	readDone := make(chan error, 1)
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		applyBodyReadDeadline(w, r, deadline)
+		_, err := io.ReadAll(r.Body)
+		readDone <- err
+	})
+
+	srv := httptest.NewServer(handler)
+	defer srv.Close()
+
+	conn, err := net.Dial("tcp", srv.Listener.Addr().String())
+	require.Nil(t, err)
+	defer func() { _ = conn.Close() }()
+
+	// Promise 1 MiB but send only a few bytes, then stall — the body read blocks.
+	_, err = fmt.Fprint(conn, "POST / HTTP/1.1\r\nHost: x\r\nContent-Length: 1048576\r\n\r\npartial")
+	require.Nil(t, err)
+
+	start := time.Now()
+	select {
+	case err := <-readDone:
+		require.Error(t, err, "a stalled body read must be cut by the deadline")
+		require.Less(t, time.Since(start), 2*time.Second, "body must be cut promptly (~BodyReadTimeout)")
+	case <-time.After(2 * time.Second):
+		t.Fatal("stalled body read was not cut by the deadline")
+	}
+}
+
+// TestApplyBodyReadDeadline_DoesNotCancelSlowHandler: a handler that reads the body then
+// works past the deadline still returns 200 — the deadline bounds the body read, not
+// post-read CPU work (e.g. a VM query) or the response write. (clear() has no observable
+// effect to assert in standard net/http, so this checks the property that matters.)
+func TestApplyBodyReadDeadline_DoesNotCancelSlowHandler(t *testing.T) {
+	t.Parallel()
+
+	const deadline = 200 * time.Millisecond
+
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		applyBodyReadDeadline(w, r, deadline)
+		if _, err := io.ReadAll(r.Body); err != nil {
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+		time.Sleep(3 * deadline) // work well past the deadline
+		w.WriteHeader(http.StatusOK)
+	})
+
+	srv := httptest.NewServer(handler)
+	defer srv.Close()
+
+	resp, err := http.Post(srv.URL, "text/plain", bytes.NewReader([]byte("hello")))
+	require.Nil(t, err)
+	_ = resp.Body.Close()
+	require.Equal(t, http.StatusOK, resp.StatusCode,
+		"the body deadline must not cancel a slow post-read handler")
+}
+
+// TestRequestHasBody covers the predicate that gates the body deadline: bodiless requests
+// (including the bodiless-GET websocket handshakes) are skipped.
+func TestRequestHasBody(t *testing.T) {
+	t.Parallel()
+
+	require.False(t, requestHasBody(&http.Request{ContentLength: 0}), "no body (incl. websocket handshake)")
+	require.True(t, requestHasBody(&http.Request{ContentLength: 5}), "known body")
+	require.True(t, requestHasBody(&http.Request{ContentLength: -1}), "chunked body")
+}
+
+// TestApplyBodyReadDeadline_SkipsBodilessUpgrade: a bodiless GET with Upgrade: websocket
+// is not wrapped (no deadline armed), so the /log and /subscribe streams are never severed.
+func TestApplyBodyReadDeadline_SkipsBodilessUpgrade(t *testing.T) {
+	t.Parallel()
+
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		before := r.Body
+		applyBodyReadDeadline(w, r, BodyReadTimeout)
+		// r.Body must be unchanged — a wrapped body would mean a deadline was armed.
+		if r.Body != before {
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+		w.WriteHeader(http.StatusOK)
+	})
+
+	srv := httptest.NewServer(handler)
+	defer srv.Close()
+
+	req, err := http.NewRequest(http.MethodGet, srv.URL, nil) // bodiless GET, like a handshake
+	require.Nil(t, err)
+	req.Header.Set("Connection", "Upgrade")
+	req.Header.Set("Upgrade", "websocket")
+
+	resp, err := http.DefaultClient.Do(req)
+	require.Nil(t, err)
+	_ = resp.Body.Close()
+	require.Equal(t, http.StatusOK, resp.StatusCode, "bodiless websocket handshake must not be wrapped")
+}
+
+// TestNewHardenedServer_WebSocketStreamWorks: a real websocket upgrade survives the
+// hardened server — frames round-trip across idle gaps without the stream being severed.
+func TestNewHardenedServer_WebSocketStreamWorks(t *testing.T) {
+	t.Parallel()
+
+	upgrader := websocket.Upgrader{CheckOrigin: func(*http.Request) bool { return true }}
+	mux := http.NewServeMux()
+	mux.HandleFunc("/ws", func(w http.ResponseWriter, r *http.Request) {
+		conn, err := upgrader.Upgrade(w, r, nil)
+		if err != nil {
+			return
+		}
+		defer func() { _ = conn.Close() }()
+		for { // echo until the client closes
+			mt, msg, err := conn.ReadMessage()
+			if err != nil {
+				return
+			}
+			if err := conn.WriteMessage(mt, msg); err != nil {
+				return
+			}
+		}
+	})
+
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	require.Nil(t, err)
+	srv := NewHardenedServer(ln.Addr().String(), mux)
+	go func() { _ = srv.Serve(ln) }()
+	defer func() { _ = srv.Close() }()
+
+	dialer := websocket.Dialer{}
+	wsURL := "ws://" + ln.Addr().String() + "/ws"
+	conn, resp, err := dialer.Dial(wsURL, nil)
+	require.Nil(t, err, "websocket upgrade must succeed through the hardened server")
+	require.Equal(t, http.StatusSwitchingProtocols, resp.StatusCode)
+	defer func() { _ = conn.Close() }()
+
+	// Exchange frames with an idle gap between them to show the stream stays open and is
+	// not cut by ReadHeaderTimeout/IdleTimeout/body deadline once upgraded.
+	for i, gap := range []time.Duration{0, 250 * time.Millisecond, 250 * time.Millisecond} {
+		time.Sleep(gap)
+		want := fmt.Sprintf("frame-%d", i)
+		require.Nil(t, conn.WriteMessage(websocket.TextMessage, []byte(want)))
+		_ = conn.SetReadDeadline(time.Now().Add(2 * time.Second))
+		_, got, err := conn.ReadMessage()
+		require.Nil(t, err, "frame %d must round-trip", i)
+		require.Equal(t, want, string(got))
+	}
+}
