DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #8699 from strongjz/slowloris

Browse source 
fix the gosec test and a make target for it
This commit is contained in:
James Strong 2022-06-15 14:16:14 -04:00 committed by GitHub
commit b4b1c24e4f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 13 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
Makefile
View file

@ -75,6 +75,10 @@ image: clean-image ## Build image for a particular arch.
--build-arg BUILD_ID="$(BUILD_ID)" \ --build-arg BUILD_ID="$(BUILD_ID)" \
-t $(REGISTRY)/controller:$(TAG) rootfs -t $(REGISTRY)/controller:$(TAG) rootfs
.PHONY: gosec
gosec:
docker run --rm -it -w /source/ -v "$(pwd)"/:/source securego/gosec:2.11.0 -exclude=G109,G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/ -exclude-dir=docs/ /source/...
.PHONY: image-chroot .PHONY: image-chroot
image-chroot: clean-chroot-image ## Build image for a particular arch. image-chroot: clean-chroot-image ## Build image for a particular arch.
echo "Building docker image ($(ARCH))..." echo "Building docker image ($(ARCH))..."

6
cmd/nginx/main.go
View file

@ -327,8 +327,10 @@ func registerProfiler() {
mux.HandleFunc("/debug/pprof/trace", pprof.Trace) mux.HandleFunc("/debug/pprof/trace", pprof.Trace)
server := &http.Server{ server := &http.Server{
Addr: fmt.Sprintf("127.0.0.1:%v", nginx.ProfilerPort), Addr: fmt.Sprintf("127.0.0.1:%v", nginx.ProfilerPort),
Handler: mux, //G112 (CWE-400): Potential Slowloris Attack
ReadHeaderTimeout: 10 * time.Second,
Handler: mux,
} }
klog.Fatal(server.ListenAndServe()) klog.Fatal(server.ListenAndServe())
} }

8
internal/ingress/controller/nginx.go
View file

@ -110,9 +110,11 @@ func NewNGINXController(config *Configuration, mc metric.Collector) *NGINXContro
if n.cfg.ValidationWebhook != "" { if n.cfg.ValidationWebhook != "" {
n.validationWebhookServer = &http.Server{ n.validationWebhookServer = &http.Server{
Addr: config.ValidationWebhook, Addr: config.ValidationWebhook,
Handler: adm_controller.NewAdmissionControllerServer(&adm_controller.IngressAdmission{Checker: n}), //G112 (CWE-400): Potential Slowloris Attack
TLSConfig: ssl.NewTLSListener(n.cfg.ValidationWebhookCertPath, n.cfg.ValidationWebhookKeyPath).TLSConfig(), ReadHeaderTimeout: 10 * time.Second,
Handler: adm_controller.NewAdmissionControllerServer(&adm_controller.IngressAdmission{Checker: n}),
TLSConfig: ssl.NewTLSListener(n.cfg.ValidationWebhookCertPath, n.cfg.ValidationWebhookKeyPath).TLSConfig(),
// disable http/2 // disable http/2
// https://github.com/kubernetes/kubernetes/issues/80313 // https://github.com/kubernetes/kubernetes/issues/80313
// https://github.com/kubernetes/ingress-nginx/issues/6323#issuecomment-737239159 // https://github.com/kubernetes/ingress-nginx/issues/6323#issuecomment-737239159