Improve Server Security

Prevent potential "Slowloris Attacks" by setting sensible default
timeout values in the http.Server instance used.

More information:
https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/

.github/workflows/ci.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.18.x
+          go-version: 1.19.x
 
       # Checkout code
       - name: Checkout repository
@@ -39,7 +39,7 @@ jobs:
     needs: scan
     strategy:
       matrix:
-        go-version: [1.17.x, 1.18.x]
+        go-version: [1.18.x, 1.19.x]
         os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
     timeout-minutes: 15
@@ -69,9 +69,9 @@ jobs:
       # Style consistency and static analysis using 'golangci-lint'
       # https://github.com/marketplace/actions/run-golangci-lint
       - name: Static analysis
-        uses: golangci/golangci-lint-action@v3.2.0
+        uses: golangci/golangci-lint-action@v3
         with:
-          version: v1.48.0
+          version: v1.50.1
 
       # Run unit tests
       - name: Test

.github/workflows/maintenance.yml

@@ -7,7 +7,7 @@ jobs:
     name: "close stale issues and pull requests"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v5
+      - uses: actions/stale@v7
         with:
           # On the 'debug' mode the action will not perform any operation.
           # Add the secret ACTIONS_STEP_DEBUG with a value of 'true' in the repository.

.github/workflows/publish.yml

@@ -15,7 +15,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.18.x
+          go-version: 1.19.x
 
       # Checkout code
       - name: Checkout repository
@@ -29,7 +29,7 @@ jobs:
       # if: steps.vendor-cache.outputs.cache-hit != 'true'
       - name: Restore vendor from cache
         id: vendor-cache
-        uses: actions/cache@v3.0.2
+        uses: actions/cache@v3
         env:
           cache-name: vendor
         with:
@@ -39,7 +39,7 @@ jobs:
       # Use goreleaser to create the new release
       # https://github.com/goreleaser/goreleaser-action
       - name: Create release
-        uses: goreleaser/goreleaser-action@v3
+        uses: goreleaser/goreleaser-action@v4
         if: startsWith(github.ref, 'refs/tags/')
         with:
           version: latest

.golangci.yml

@@ -3,13 +3,7 @@ run:
   issues-exit-code: 1
   tests: true
   build-tags: []
-  skip-dirs:
-    - vendor$
-    - third_party$
-    - testdata$
-    - examples$
-    - Godeps$
-    - builtin$
+  skip-dirs-use-default: true
   skip-files:
     - ".*\\.pb\\.go$"
     - ".*\\.pb\\.gw\\.go$"
@@ -28,9 +22,7 @@ linters:
     - gofmt
     - ineffassign
     - staticcheck
-    - structcheck
     - typecheck
-    - varcheck
     - gocyclo
     - goconst
     - depguard
@@ -52,16 +44,20 @@ linters:
     - noctx
     - predeclared
     - exportloopref
-    - wastedassign
     - whitespace
+    # Deprecated linters
     #- wrapcheck
     #- nestif
     #- funlen
     #- ifshort
+    #- varcheck
   disable:
     - deadcode
     - unused
     - dupl
+    # https://github.com/golangci/golangci-lint/issues/2649
+    - structcheck
+    - wastedassign
 issues:
   exclude-use-default: false
   exclude-rules:

.goreleaser.yml

@@ -56,6 +56,7 @@ checksum:
 # https://goreleaser.com/customization/source/
 source:
   enabled: true
+  rlcp: true
 # produce test releases
 # https://goreleaser.com/customization/snapshots/
 snapshot:

Makefile

@@ -75,10 +75,10 @@ lint:
 release:
 	goreleaser release --skip-validate --skip-publish --rm-dist
 
-## scan: Look for known vulnerabilities in the project dependencies
+## scan-deps: Look for known vulnerabilities in the project dependencies
 # https://github.com/sonatype-nexus-community/nancy
-scan:
-	@go list -mod=readonly -f '{{if not .Indirect}}{{.}}{{end}}' -m all | nancy sleuth --skip-update-check
+scan-deps:
+	@go list -json -deps ./... | nancy sleuth --skip-update-check
 
 ## test: Run unit tests excluding the vendor dependencies
 test:

go.mod

@@ -2,4 +2,9 @@ module github.com/bryk-io/go-vanity
 
 go 1.16
 
-require gopkg.in/yaml.v2 v2.4.0
+require (
+	github.com/kr/pretty v0.3.0 // indirect
+	github.com/rogpeppe/go-internal v1.8.0 // indirect
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+	gopkg.in/yaml.v2 v2.4.0
+)

go.sum

@@ -1,4 +1,20 @@
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
+github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
+github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
+github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8=
+github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=

main.go

@@ -12,6 +12,7 @@ import (
 	"path/filepath"
 	"strconv"
 	"strings"
+	"time"
 
 	"gopkg.in/yaml.v2"
 )
@@ -53,7 +54,14 @@ func main() {
 	// Start server
 	h := newHandler(conf)
 	fmt.Println("serving on port:", port)
-	if err := http.ListenAndServe(fmt.Sprintf(":%d", port), logMiddleware(getServerMux(h))); err != nil {
+	srv := http.Server{
+		Addr:              fmt.Sprintf(":%d", port),
+		Handler:           logMiddleware(getServerMux(h)),
+		ReadHeaderTimeout: 5 * time.Second,
+		WriteTimeout:      5 * time.Second,
+		ReadTimeout:       10 * time.Second,
+	}
+	if err := srv.ListenAndServe(); err != nil {
 		fmt.Println("server error: ", err)
 		os.Exit(-1)
 	}