Open
Description
(This a tricky one, so feel free to close if you feel like there is nothing that can be done here.)
s := &http.Server{
Addr: ":8080",
ReadTimeout: 5 * time.Second,
ReadHeaderTimeout: 5 * time.Second,
IdleTimeout: 5 * time.Second,
WriteTimeout: 5 * time.Second,
}
done := make(chan struct{})
h := http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) {
log.Println("shutdown")
log.Println("handler", s.Shutdown(r.Context()))
close(done)
})
s.Handler = h
log.Println("serve", s.ListenAndServe())
<-donehttps://play.golang.org/p/_OGyCHl3G4m
Calling this handler, for example with curl, will hang forever, because http.(*Server).Shutdown will block until all handlers finish… including the one that currently waits for it to return.
I'm not sure if (1) this error is common or (2) if this can even be reliably detected. The analyser would need to know that this particular server serves this particular handler, including through third-party routers and middlewares, and also uses the deafult context. Perhaps, a less precise version that only checks for calls of Shutdown in HTTP handlers it's a better fit for @dgryski's semgrep?