Engine.Handler() should initialize HTTP2 server Read/WriteTimeout to adequate Values

[xaviercrochet]

Description

Engine.Handler() initialises http2.Server without setting ReadTimeout and WriteTimeout to adequate values, which leaves them to their default off values.

This expose the http server to slowloris DDoS attacks when dealing with untrusted clients.

You would be leaking connections and run out of descriptors..

How to reproduce

You start a new engine with any of the Run methods.

(...)
gin.SetMode(gin.ReleaseMode)
router = gin.New()
router.RunTLS("some ost url", "some ssl certificate",  "some ssl key")
(...)

Expectations

The method Engine.Handler() should initialise the http server with proper timeout values so it doesn't expose it to the issue explained above.

i.e.

server := &http2.Server{
  (...),
  ReadTimeout:  5 * time.Second,
  WriteTimeout: 10 * time.Second,
  (...),
}

Actual result

func (engine *Engine) Handler() http.Handler {
    if !engine.UseH2C {
        return engine
    }

    h2s := &http2.Server{}
    return h2c.NewHandler(engine, h2s)
}

Environment

• go version: go1.19.1
• gin version (or commit ref): github.com/gin-gonic/gin v1.8.1
• operating system: Linux bach 4.9.0-16-amd64 #1 SMP Debian 4.9.272-2 (2021-07-19) x86_64 GNU/Linux

[Cookiery]

I think you can create a timeout middleware. Reference: https://gist.github.com/montanaflynn/ef9e7b9cd21b355cfe8332b4f20163c1

[araujo88]

http2.Server doesn't have a ReadTimeout or WriteTimeout fields, but it does have a IdleTimeout field. Should this field be set to a default value when calling Engine.Handler()?

func (engine *Engine) Handler() http.Handler {
    if !engine.UseH2C {
        return engine
    }

    h2s := &http2.Server{
        IdleTimeout: 10 * time.Second, // sets IdleTimeout default value to 10 seconds
    }
    return h2c.NewHandler(engine, h2s)
}

[FirePing32]

@appleboy shouldn't we provide a way to call the handler with user-defined params for such cases?