fix(action): timeout remote post-serve HTTP client (GHSA-42j2-w334-qxw7)#1228
Merged
tommysitu merged 1 commit intoMay 27, 2026
Merged
Conversation
Remote post-serve actions were issued through http.DefaultClient, which has no timeout. A non-responsive endpoint (accepts TCP but never replies, half-open TLS, zero-window stall) would block the calling goroutine indefinitely. Because each matched request spawns a fresh goroutine with no cap or recovery, an attacker with admin-API access could exhaust memory by pointing a registered remote action at a black-hole URL. Use a dedicated *http.Client with a 30s Timeout so every in-flight remote-action goroutine is guaranteed to terminate. The timeout is exposed as a package var (RemoteActionTimeout) so tests can lower it. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
http.DefaultClient(no timeout) inside an unbounded goroutine, so a non-responsive endpoint would leak the calling goroutine forever — an attacker with admin-API access could exhaust memory and crash the process (GHSA-42j2-w334-qxw7).*http.Clientwith a 30sTimeout, which caps dial → TLS handshake → request write → response read. Every in-flight remote-action goroutine is now guaranteed to terminate.action.RemoteActionTimeoutso tests can override it.Test plan
go test ./core/action/... -count=1(all green)Test_ExecuteRemotePostServeAction_TimesOutOnSlowEndpointagainst anhttptestserver that never responds — fails (hangs past timeout) without the fix, passes in ~0.3s with itgo vet ./core/action/...🤖 Generated with Claude Code