Summary

Harden the MS Teams webhook HTTP ingress against slow-body socket-hold DoS by applying explicit server timeouts when the provider starts.

Change Type

• Security hardening
• Regression tests

Scope

• extensions/msteams/src/monitor.ts
• extensions/msteams/src/monitor.test.ts

Security Impact

Before this change, the webhook server inherited Node defaults (timeout=0, long request/header windows), allowing unauthenticated clients to hold webhook sockets with partial request bodies before auth middleware runs. This can exhaust available connections and degrade/deny legitimate Teams traffic.

This change applies explicit ingress limits:

• inactivity/socket timeout
• total request timeout
• header timeout (capped to request timeout)

Repro + Verification

Deterministic local repro (pre-fix)

1. Start an Express webhook with express.json() before auth middleware (matching monitor middleware order).
2. Open a TCP connection and send POST /api/messages with large Content-Length plus partial JSON body.
3. Observe the connection remains open for at least 5 seconds with default server timeout behavior.

Observed pre-fix defaults/evidence:

• requestTimeout: 300000
• headersTimeout: 60000
• keepAliveTimeout: 5000
• socket remained open after 5 seconds while body was incomplete

Regression tests

• pnpm vitest run extensions/msteams/src/monitor.test.ts --maxWorkers=1
• pnpm vitest run extensions/msteams/src/inbound.test.ts extensions/msteams/src/monitor.test.ts --maxWorkers=1

Evidence

Dedupe searches and related items reviewed:

• [Bug]: MSTeams Channel Replies Not Being Sent #9873
• fix(msteams): keep provider promise pending until abort to stop auto-restart loop #22605
• fix(msteams): proactive messaging, EADDRINUSE fix, tool status, adaptive cards #23226
• fix(msteams): add SSRF validation to file consent upload URL #23596
• fix(msteams): sanitize error messages sent to users (CWE-209) #23629
• msteams slowloris search: no matching issue/PR
• msteams requestTimeout search: no matching issue/PR
• msteams headersTimeout search: no matching issue/PR
• msteams server.timeout search: no matching issue/PR

Human Verification

• Started a local webhook server and reproduced partial-body socket hold behavior before applying timeout hardening.
• Confirmed new timeout helper values are applied on server startup.
• Confirmed slow-body socket is dropped under configured hardened timeouts in regression test.

Compatibility / Migration

No config schema changes and no migration required.

Failure Recovery

If timeout values need adjustment for specific environments, this change is isolated to MS Teams monitor startup and can be quickly tuned/reverted in one file.

Risks and Mitigations

Risk:

• Overly strict timeout values could drop legitimate slow requests.

Mitigations:

• Conservative defaults (seconds, not milliseconds) for production path.
• Focused regression test validates behavior for slow-body abuse pattern.
• Change is isolated to webhook ingress only.

Greptile Summary

Added HTTP server timeout hardening to the MS Teams webhook ingress to prevent slowloris-style attacks and slow-body DoS vectors. The implementation introduces three configurable timeout controls: inactivity timeout (30s default), request timeout (30s default), and headers timeout (15s default, clamped to request timeout). The new applyMSTeamsWebhookTimeouts function is applied to the HTTP server on line 306 of monitor.ts, providing defense-in-depth protection against malicious webhook requests that could exhaust server resources.

• Added new timeout constants and configuration type for MS Teams webhook hardening
• Implemented applyMSTeamsWebhookTimeouts function with proper timeout clamping logic
• Added comprehensive test coverage including timeout configuration and slow-body attack simulation
• Applied timeouts to the webhook HTTP server in the production code path

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The changes are focused, well-tested, and follow established security hardening patterns. The implementation correctly applies Node.js HTTP server timeout controls (setTimeout, requestTimeout, headersTimeout) with sensible defaults (30s for activity, 15s for headers). The test suite validates both configuration behavior and actual timeout enforcement via a slow-body attack simulation. The timeout values are appropriate for webhook ingress and align with common defense-in-depth practices against slowloris and similar DoS attacks.
• No files require special attention

_{Last reviewed commit: 9aa11eb}