Skip to content

fix: add MaxHeaderBytes and body size limits to HTTP servers (PILOT-107)#6

Merged
TeoSlayer merged 1 commit into
mainfrom
openclaw/pilot-107-20260528-070300
May 28, 2026
Merged

fix: add MaxHeaderBytes and body size limits to HTTP servers (PILOT-107)#6
TeoSlayer merged 1 commit into
mainfrom
openclaw/pilot-107-20260528-070300

Conversation

@matthew-pilot
Copy link
Copy Markdown
Collaborator

@matthew-pilot matthew-pilot commented May 28, 2026

What

Adds HTTP server hardening to prevent slowloris and large-body DoS vectors in the cosift HTTP server.

Changes

  • internal/server/http.go (ListenAndServe): Added MaxHeaderBytes: 1 << 20
  • cmd/cosift/pebble_serve.go (pebbleHTTP): Added IdleTimeout: 120s and MaxHeaderBytes: 1 << 20
  • All json.NewDecoder(r.Body) calls across both files (10 total): wrapped with http.MaxBytesReader(w, r.Body, 1<<20) to enforce a 1 MB body size limit

Before/After

Attribute Before After
ReadHeaderTimeout ✅ (10s)
ReadTimeout ✅ (30s)
WriteTimeout ✅ (60s)
IdleTimeout http.go only Both servers
MaxHeaderBytes ❌ missing ✅ 1 MB
Body size guard ❌ none (unbounded JSON decode) ✅ 1 MB (MaxBytesReader)

Testing

  • go build ./... — clean
  • go test -timeout 60s ./... — all 9 packages pass (including internal/server and cmd/cosift)

Ticket

Closes PILOT-107

fix: add MaxHeaderBytes and body size limits to HTTP servers (PILOT-107)
b00661c 
ListenAndServe and pebble-serve: add MaxHeaderBytes (1 MB).
pebble-serve: add missing IdleTimeout.
All json.NewDecoder(r.Body) calls: wrap with http.MaxBytesReader
(w, r.Body, 1<<20) to prevent unbounded request body allocation.

Fixes: PILOT-107 — Cosift HTTP server has no request body size limit
@codecov
Copy link
Copy Markdown

codecov Bot commented May 28, 2026

Codecov Report

❌ Patch coverage is 69.23077% with 4 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
cmd/cosift/pebble_serve.go 71.42% 0 Missing and 2 partials ⚠️
internal/server/http.go 66.66% 1 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

@TeoSlayer TeoSlayer merged commit 9af4052 into main May 28, 2026
3 checks passed
@TeoSlayer TeoSlayer deleted the openclaw/pilot-107-20260528-070300 branch May 28, 2026 16:56
@TeoSlayer TeoSlayer mentioned this pull request May 28, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matthew-pilot @TeoSlayer