fix(rpc): add read, write and idle configurable timeouts to gateway#13327
fix(rpc): add read, write and idle configurable timeouts to gateway#13327parthshah1 wants to merge 2 commits intofilecoin-project:masterfrom
Conversation
|
Note: Need a sensible write timeout. 10s maybe. |
|
I think we'll want a changelog item here. |
Done. |
There was a problem hiding this comment.
Pull Request Overview
This PR adds configurable HTTP timeouts to the gateway RPC handler to fix a security vulnerability. The changes introduce five new timeout parameters (read header, read, write, idle timeouts and max header bytes) that can be configured via command-line flags.
- Adds five new timeout constants and corresponding configuration options
- Implements CLI flags for configuring the timeout values
- Updates the CHANGELOG to document the fix
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| gateway/node.go | Adds timeout constants, struct fields, and configuration options for HTTP timeouts |
| cmd/lotus-gateway/main.go | Implements CLI flags for the new timeout configurations |
| CHANGELOG.md | Documents the security fix in the changelog |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| Usage: "Maximum duration for reading the entire request, including the body. Use 0 to disable", | ||
| Value: gateway.ReadTimeout, | ||
| }, | ||
| &cli.DurationFlag{ |
There was a problem hiding this comment.
The CLI flag is missing the --read-header-timeout option that corresponds to the ReadHeaderTimeout constant. This timeout is configurable in the code but not exposed via CLI, creating an inconsistency in the configuration interface.
| &cli.DurationFlag{ | |
| &cli.DurationFlag{ | |
| Name: "read-header-timeout", | |
| Usage: "Amount of time allowed to read request headers. Use 0 to disable", | |
| Value: gateway.ReadHeaderTimeout, | |
| }, | |
| &cli.DurationFlag{ |
|
@rvagg Could you share your quick thoughts on this. If anything is required, happy to accommodate the changes. |
2 participants
Related Issues
Old PR https://github.com/filecoin-project/lotus/pull/13283/files.
Adding configurable read, write and idle timeouts in gateway handler. Fixes this bug.
Proposed Changes
Adding additional timeouts for gateway rpc handler.
Mainly these are the constants (Subject to change):
readHeaderTimeout = 10 * time.Second
readTimeout = 60 * time.Second
writeTimeout = 0
idleTimeout = 60 * time.Second
maxHeaderBytes = 1 << 20
Additional Info
Related slack discussion: https://filecoinproject.slack.com/archives/C05P37R9KQD/p1756354215245379
Checklist
Before you mark the PR ready for review, please make sure that: