Update everything to Go 1.19 and fix potential Slowloris Attacks

4 months ago · 93d176676f
parent 94222cb461
commit 93d176676f
8 changed files with 25 additions and 20 deletions
--- a/.golangci.yml
+++ b/.golangci.yml
@ -32,10 +32,10 @@ linters:
    - gosec
 linters-settings:
  gosimple:
-    go: "1.18"
+    go: "1.19"
    checks: ["all"]
  gostatichcheck:
-    go: "1.18"
+    go: "1.19"
    checks: ["all"]
  dupl:
    threshold: 125
--- a/docs/build.md
+++ b/docs/build.md
@ -30,7 +30,7 @@ Requirements:

 - Linux
 - git
- go >= 1.17
+- go >= 1.19
 - libsqlite3 with FTS5 enabled >= 3.31 (the newer the better)

 Build command:
--- a/go.mod
+++ b/go.mod
@ -1,6 +1,6 @@
 module go.goblog.app/app

-go 1.18
+go 1.19

 require (
 	git.jlel.se/jlelse/go-geouri v0.0.0-20210525190615-a9c1d50f42d6
@ -58,7 +58,7 @@ require (
 	// master
 	github.com/yuin/goldmark-emoji v1.0.2-0.20210607094911-0487583eca38
 	golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa
-	golang.org/x/net v0.0.0-20220728211354-c7608f3a8462
+	golang.org/x/net v0.0.0-20220805013720-a33c5aa5df48
 	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
 	golang.org/x/text v0.3.7
 	gopkg.in/yaml.v3 v3.0.1
--- a/go.sum
+++ b/go.sum
@ -617,8 +617,8 @@ golang.org/x/net v0.0.0-20210916014120-12bc252f5db8/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211020060615-d418f374d309/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220728211354-c7608f3a8462 h1:UreQrH7DbFXSi9ZFox6FNT3WBooWmdANpU+IfkT1T4I=
-golang.org/x/net v0.0.0-20220728211354-c7608f3a8462/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
+golang.org/x/net v0.0.0-20220805013720-a33c5aa5df48 h1:N9Vc/rorQUDes6B9CNdIxAn5jODGj2wzfrei2x4wNj4=
+golang.org/x/net v0.0.0-20220805013720-a33c5aa5df48/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
--- a/http.go
+++ b/http.go
@ -56,9 +56,10 @@ func (a *goBlog) startServer() (err error) {
 	}
 	// Start server
 	s := &http.Server{
-		Handler:      finalHandler,
-		ReadTimeout:  5 * time.Minute,
-		WriteTimeout: 5 * time.Minute,
+		Handler:           finalHandler,
+		ReadHeaderTimeout: 1 * time.Minute,
+		ReadTimeout:       5 * time.Minute,
+		WriteTimeout:      5 * time.Minute,
 	}
 	a.shutdown.Add(shutdownServer(s, "main server"))
 	if a.cfg.Server.PublicHTTPS || a.cfg.Server.TailscaleHTTPS {
@ -69,10 +70,11 @@ func (a *goBlog) startServer() (err error) {
 				h = m.HTTPHandler(h)
 			}
 			httpServer := &http.Server{
-				Addr:         ":80",
-				Handler:      h,
-				ReadTimeout:  5 * time.Minute,
-				WriteTimeout: 5 * time.Minute,
+				Addr:              ":80",
+				Handler:           h,
+				ReadHeaderTimeout: 1 * time.Minute,
+				ReadTimeout:       5 * time.Minute,
+				WriteTimeout:      5 * time.Minute,
 			}
 			a.shutdown.Add(shutdownServer(httpServer, "http server"))
 			if err := a.listenAndServe(httpServer); err != nil && err != http.ErrServerClosed {
--- a/main.go
+++ b/main.go
@ -9,6 +9,7 @@ import (
 	"os"
 	"runtime"
 	"runtime/pprof"
+	"time"

 	"github.com/pquerna/otp/totp"
 )
@ -109,8 +110,9 @@ func main() {
 			pprofHandler.HandleFunc("/debug/pprof/trace", netpprof.Trace)
 			// Build server and listener
 			pprofServer := &http.Server{
-				Addr:    defaultIfEmpty(pprofCfg.Address, "localhost:0"),
-				Handler: pprofHandler,
+				Addr:              defaultIfEmpty(pprofCfg.Address, "localhost:0"),
+				Handler:           pprofHandler,
+				ReadHeaderTimeout: 1 * time.Minute,
 			}
 			listener, err := net.Listen("tcp", pprofServer.Addr)
 			if err != nil {
--- a/tor.go
+++ b/tor.go
@ -66,9 +66,10 @@ func (a *goBlog) startOnionService(h http.Handler) error {
 	a.cache.purge()
 	// Serve handler
 	s := &http.Server{
-		Handler:      middleware.WithValue(torUsedKey, true)(h),
-		ReadTimeout:  5 * time.Minute,
-		WriteTimeout: 5 * time.Minute,
+		Handler:           middleware.WithValue(torUsedKey, true)(h),
+		ReadHeaderTimeout: 1 * time.Minute,
+		ReadTimeout:       5 * time.Minute,
+		WriteTimeout:      5 * time.Minute,
 	}
 	a.shutdown.Add(shutdownServer(s, "tor"))
 	if err = s.Serve(onion); err != nil && err != http.ErrServerClosed {
--- a/updateDeps.sh
+++ b/updateDeps.sh
@ -1,4 +1,4 @@
 #!/bin/bash

 GOFLAGS="-tags=linux,libsqlite3,sqlite_fts5" go get -d $(go list -f '{{if not (or .Main .Indirect)}}{{.Path}}{{end}}' -m all)
-GOFLAGS="-tags=linux,libsqlite3,sqlite_fts5" go mod tidy -compat 1.18
+GOFLAGS="-tags=linux,libsqlite3,sqlite_fts5" go mod tidy -compat 1.19