Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exempt bootstrap package uploads from server-side request timeout #25536

Merged
merged 2 commits into from
Jan 17, 2025
Merged

Exempt bootstrap package uploads from server-side request timeout #25536

merged 2 commits into from
Jan 17, 2025

Conversation

iansltx
Copy link
Member

@iansltx iansltx commented Jan 17, 2025

For #25533

  • Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
    See Changes files for more information.
  • A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it)
  • Manual QA for all new/changed functionality

@iansltx iansltx requested a review from a team as a code owner January 17, 2025 06:07
@codecov Codecov
Copy link

codecov bot commented Jan 17, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 3 lines in your changes missing coverage. Please review.

Project coverage is 63.59%. Comparing base (8407aef) to head (a2e3cd5).
Report is 8 commits behind head on main.

Files with missing lines Patch % Lines
cmd/fleet/serve.go 0.00% 3 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #25536      +/-   ##
==========================================
- Coverage   63.59%   63.59%   -0.01%     
==========================================
  Files        1619     1619              
  Lines      155002   155003       +1     
  Branches     3985     3985              
==========================================
- Hits        98572    98568       -4     
- Misses      48659    48664       +5     
  Partials     7771     7771
Flag Coverage Δ
backend 64.44% <0.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

getvictor
getvictor previously approved these changes Jan 17, 2025
View reviewed changes
Copy link
Member

@getvictor getvictor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

package.json Outdated
@@ -3,7 +3,7 @@
"version": "0.99.99",
"description": "The premier osquery fleet manager.",
"engines": {
"node": "20.11.1",
"node": "20.18.1",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this change needed for this big fix?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is not. I'll fix.

cmd/fleet/serve.go
var zeroTime time.Time
rc := http.NewResponseController(rw)
// For large software installers, the server time needs time to read the full
// For large software installers and bootstrap packages, the server time needs time to read the full
// request body so we use the zero value to remove the deadline and override the
// default read timeout.
// TODO: Is this really how we want to handle this? Or would an arbitrarily long
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, a long timeout would be better. Otherwise, a bug in our agent with software/package download could DDOS our server.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This covers a timeout long enough to upload a 2+GB installer over a slowish connection, so basically any timeout long enough to support that use case will be long enough to afford a DoS scenario unfortunately.

@iansltx iansltx force-pushed the 25533-read-timeout-bootstrap-package branch from 52f21bc to a2e3cd5 Compare January 17, 2025 14:19
@iansltx iansltx assigned getvictor and unassigned jahzielv Jan 17, 2025
@iansltx iansltx merged commit 9a5d74c into main Jan 17, 2025
32 checks passed
@iansltx iansltx deleted the 25533-read-timeout-bootstrap-package branch January 17, 2025 16:40
iansltx added a commit that referenced this pull request Jan 17, 2025
@iansltx
Exempt bootstrap package uploads from server-side request timeout (#2…
c897f3b 
…5536)

For #25533

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] A detailed QA plan exists on the associated ticket (if it isn't
there, work with the product group's QA engineer to add it)
- [x] Manual QA for all new/changed functionality
@iansltx iansltx mentioned this pull request Jan 17, 2025
Merged
iansltx added a commit that referenced this pull request Jan 17, 2025
@iansltx
Cherry-Pick: Exempt bootstrap package uploads from server-side reques…
b6b7032 
…t timeout (#25552)

For #25533, merged into `main` in #25536
lukeheath pushed a commit that referenced this pull request Jan 17, 2025
@iansltx @lukeheath
Exempt bootstrap package uploads from server-side request timeout (#2…
cbbf9ef 
…5536)

For #25533

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] A detailed QA plan exists on the associated ticket (if it isn't
there, work with the product group's QA engineer to add it)
- [x] Manual QA for all new/changed functionality
@lukeheath lukeheath mentioned this pull request Jan 17, 2025
Closed
lukeheath pushed a commit that referenced this pull request Jan 17, 2025
@iansltx @lukeheath
Exempt bootstrap package uploads from server-side request timeout (#2…
f74ab14 
…5536)

For #25533

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] A detailed QA plan exists on the associated ticket (if it isn't
there, work with the product group's QA engineer to add it)
- [x] Manual QA for all new/changed functionality
@lukeheath lukeheath mentioned this pull request Jan 17, 2025
Closed
lukeheath pushed a commit that referenced this pull request Jan 17, 2025
@iansltx @lukeheath
Exempt bootstrap package uploads from server-side request timeout (#2…
ad5560d 
…5536)

For #25533

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] A detailed QA plan exists on the associated ticket (if it isn't
there, work with the product group's QA engineer to add it)
- [x] Manual QA for all new/changed functionality
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@getvictor getvictor getvictor approved these changes

Assignees

@getvictor getvictor

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@iansltx @getvictor @jahzielv