msteams: harden webhook ingress timeouts

2026-03-12 07:20:45 +00:00 · 2026-02-24 18:37:09 -07:00
parent ab0b2c21f3
commit 6945ba189d
2 changed files with 112 additions and 0 deletions
--- a/extensions/msteams/src/monitor.test.ts
+++ b/extensions/msteams/src/monitor.test.ts
@@ -0,0 +1,85 @@
+import { once } from "node:events";
+import type { Server } from "node:http";
+import { createConnection, type AddressInfo } from "node:net";
+import express from "express";
+import { describe, expect, it } from "vitest";
+import { applyMSTeamsWebhookTimeouts } from "./monitor.js";
+
+async function closeServer(server: Server): Promise<void> {
+  await new Promise<void>((resolve) => {
+    server.close(() => resolve());
+  });
+}
+
+async function waitForSlowBodySocketClose(port: number, timeoutMs: number): Promise<number> {
+  return new Promise<number>((resolve, reject) => {
+    const startedAt = Date.now();
+    const socket = createConnection({ host: "127.0.0.1", port }, () => {
+      socket.write("POST /api/messages HTTP/1.1\r\n");
+      socket.write("Host: localhost\r\n");
+      socket.write("Content-Type: application/json\r\n");
+      socket.write("Content-Length: 1048576\r\n");
+      socket.write("\r\n");
+      socket.write('{"type":"message"');
+    });
+    socket.on("error", () => {
+      // ECONNRESET is expected once the server drops the socket.
+    });
+    const failTimer = setTimeout(() => {
+      socket.destroy();
+      reject(new Error(`socket stayed open for ${timeoutMs}ms`));
+    }, timeoutMs);
+    socket.on("close", () => {
+      clearTimeout(failTimer);
+      resolve(Date.now() - startedAt);
+    });
+  });
+}
+
+describe("msteams monitor webhook hardening", () => {
+  it("applies explicit webhook timeout values", async () => {
+    const app = express();
+    const server = app.listen(0, "127.0.0.1");
+    await once(server, "listening");
+    try {
+      applyMSTeamsWebhookTimeouts(server, {
+        inactivityTimeoutMs: 3210,
+        requestTimeoutMs: 6543,
+        headersTimeoutMs: 9876,
+      });
+
+      expect(server.timeout).toBe(3210);
+      expect(server.requestTimeout).toBe(6543);
+      expect(server.headersTimeout).toBe(6543);
+    } finally {
+      await closeServer(server);
+    }
+  });
+
+  it("drops slow-body webhook requests within configured inactivity timeout", async () => {
+    const app = express();
+    app.use(express.json({ limit: "1mb" }));
+    app.use((_req, res, _next) => {
+      res.status(401).end("unauthorized");
+    });
+    app.post("/api/messages", (_req, res) => {
+      res.end("ok");
+    });
+
+    const server = app.listen(0, "127.0.0.1");
+    await once(server, "listening");
+    try {
+      applyMSTeamsWebhookTimeouts(server, {
+        inactivityTimeoutMs: 400,
+        requestTimeoutMs: 1500,
+        headersTimeoutMs: 1500,
+      });
+
+      const port = (server.address() as AddressInfo).port;
+      const closedMs = await waitForSlowBodySocketClose(port, 3000);
+      expect(closedMs).toBeLessThan(2500);
+    } finally {
+      await closeServer(server);
+    }
+  });
+});
--- a/extensions/msteams/src/monitor.ts
+++ b/extensions/msteams/src/monitor.ts
@@ -1,3 +1,4 @@
+import type { Server } from "node:http";
 import type { Request, Response } from "express";
 import {
  DEFAULT_WEBHOOK_MAX_BODY_BYTES,
@@ -34,6 +35,31 @@ export type MonitorMSTeamsResult = {
 };

 const MSTEAMS_WEBHOOK_MAX_BODY_BYTES = DEFAULT_WEBHOOK_MAX_BODY_BYTES;
+const MSTEAMS_WEBHOOK_INACTIVITY_TIMEOUT_MS = 30_000;
+const MSTEAMS_WEBHOOK_REQUEST_TIMEOUT_MS = 30_000;
+const MSTEAMS_WEBHOOK_HEADERS_TIMEOUT_MS = 15_000;
+
+export type ApplyMSTeamsWebhookTimeoutsOpts = {
+  inactivityTimeoutMs?: number;
+  requestTimeoutMs?: number;
+  headersTimeoutMs?: number;
+};
+
+export function applyMSTeamsWebhookTimeouts(
+  httpServer: Server,
+  opts?: ApplyMSTeamsWebhookTimeoutsOpts,
+): void {
+  const inactivityTimeoutMs = opts?.inactivityTimeoutMs ?? MSTEAMS_WEBHOOK_INACTIVITY_TIMEOUT_MS;
+  const requestTimeoutMs = opts?.requestTimeoutMs ?? MSTEAMS_WEBHOOK_REQUEST_TIMEOUT_MS;
+  const headersTimeoutMs = Math.min(
+    opts?.headersTimeoutMs ?? MSTEAMS_WEBHOOK_HEADERS_TIMEOUT_MS,
+    requestTimeoutMs,
+  );
+
+  httpServer.setTimeout(inactivityTimeoutMs);
+  httpServer.requestTimeout = requestTimeoutMs;
+  httpServer.headersTimeout = headersTimeoutMs;
+}

 export async function monitorMSTeamsProvider(
  opts: MonitorMSTeamsOpts,
@@ -289,6 +315,7 @@ export async function monitorMSTeamsProvider(
    httpServer.once("listening", onListening);
    httpServer.once("error", onError);
  });
+  applyMSTeamsWebhookTimeouts(httpServer);

  httpServer.on("error", (err) => {
    log.error("msteams server error", { error: String(err) });