Usage of vulnerable 'serve' function

• Rule ID: go_gosec_http_http_serve
• Languages: go
• Source: http_serve.yml

Description

The default serve functions in Go's net/http package are susceptible to resource consumption attacks. This vulnerability arises when attackers flood the server with incomplete or persistent connections, depleting its resources and blocking new legitimate connections.

Remediations

• Do not use default serve functions like http.ListenAndServe and http.Serve in production environments. You cannot set timeouts for these functions, making the server vulnerable to attacks.

  http.ListenAndServe(":8080", nil) // unsafe

• Do create a custom http.Server object with configured timeouts to safeguard against resource exhaustion. Set ReadHeaderTimeout, ReadTimeout, WriteTimeout, and IdleTimeout to appropriate values.

  myServer := &http.Server{
      Addr:             "localhost:8000",
      ReadHeaderTimeout: 15 * time.Second,
      ReadTimeout:      15 * time.Second,
      WriteTimeout:     10 * time.Second,
      IdleTimeout:      30 * time.Second,
  }

• Do enforce timeouts on individual requests using http.TimeoutHandler. This wrapper ensures that the server does not indefinitely wait for a request to finish, preventing potential denial of service.

References

• http.Server Timeouts Documentation
• Guide to Setting Request-Based Timeouts
• Understanding the Slowloris Attack

Associated CWE

• CWE-400: Uncontrolled Resource Consumption

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_http_http_serve

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_http_http_serve