From 3f459a97ce86900ffa25b63bbca3a0ed2bc02964 Mon Sep 17 00:00:00 2001
From: Maysun J Faisal <maysunaneek@gmail.com>
Date: Thu, 26 Oct 2023 16:00:42 -0400
Subject: [PATCH] Disable http/2 on the webhook server by default

Signed-off-by: Maysun J Faisal <maysunaneek@gmail.com>
---
 Dockerfile                    |  4 ++++
 Makefile                      |  3 ++-
 docs/build-test-and-deploy.md |  6 ++++++
 main.go                       | 16 ++++++++++++++++
 4 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index fa07d5c10..213ea246c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -37,6 +37,10 @@ RUN chmod +x /usr/local/bin/entrypoint.sh
 ARG ENABLE_WEBHOOKS=true
 ENV ENABLE_WEBHOOKS=${ENABLE_WEBHOOKS}
 
+# disable http/2 on the webhook server by default
+ARG ENABLE_WEBHOOK_HTTP2=false 
+ENV ENABLE_WEBHOOK_HTTP2=${ENABLE_WEBHOOK_HTTP2}
+
 # Set the Git config for the AppData bot
 WORKDIR /
 COPY --from=builder /workspace/manager .
diff --git a/Makefile b/Makefile
index 8915d32e5..fee41d23d 100644
--- a/Makefile
+++ b/Makefile
@@ -45,6 +45,7 @@ DEVFILE_REGISTRY_URL ?= https://registry.devfile.io
 # ENVIRONMENT is used for feature flagging.  For testing, values should be development, staging, and production
 ENVIRONMENT ?= ""
 ENABLE_WEBHOOKS ?= true
+ENABLE_WEBHOOK_HTTP2 ?=false
 
 APPLICATION_API_CRD = https://raw.githubusercontent.com/redhat-appstudio/application-api/main/manifests/application-api-customresourcedefinitions.yaml
 
@@ -169,7 +170,7 @@ run: manifests generate fmt vet ## Run a controller from your host.
 	go run ./main.go
 
 docker-build: test ## Build docker image with the manager.
-	docker build --build-arg ENABLE_WEBHOOKS=${ENABLE_WEBHOOKS} -t ${IMG} .
+	docker build --build-arg ENABLE_WEBHOOKS=${ENABLE_WEBHOOKS} --build-arg ENABLE_WEBHOOK_HTTP2=${ENABLE_WEBHOOK_HTTP2} -t ${IMG} .
 
 docker-push: ## Push docker image with the manager.
 	docker push ${IMG}
diff --git a/docs/build-test-and-deploy.md b/docs/build-test-and-deploy.md
index fb919f4cb..31ca43c26 100644
--- a/docs/build-test-and-deploy.md
+++ b/docs/build-test-and-deploy.md
@@ -101,6 +101,12 @@ For example:
 
 `DEVFILE_REGISTRY_URL=https://myregistry make deploy` would deploy application-service configured to use https://myregistry.
 
+#### Enabling HTTP/2 on the Webhook Server
+
+By default, http/2 on the webhook server is disabled due to CVE-2023-44487.
+
+If you want to enable http/2 for the webhook server, build with `ENABLE_WEBHOOK_HTTP2=true make docker-build`
+
 ### Deploying Locally
 
 #### Disabling Webhooks for Local Development
diff --git a/main.go b/main.go
index 1d473e8f6..3a2875c72 100644
--- a/main.go
+++ b/main.go
@@ -17,6 +17,7 @@ limitations under the License.
 package main
 
 import (
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"log"
@@ -159,6 +160,12 @@ func main() {
 		}
 	}
 
+	// Retrieve the option to enable HTTP2 on the Webhook server
+	enableWebhookHTTP2 := os.Getenv("ENABLE_WEBHOOK_HTTP2")
+	if enableWebhookHTTP2 == "" {
+		enableWebhookHTTP2 = "false"
+	}
+
 	// Parse any passed in tokens and set up a client for handling the github tokens
 	err = github.ParseGitHubTokens()
 	if err != nil {
@@ -225,6 +232,15 @@ func main() {
 	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
 		setupLog.Info("setting up webhooks")
 		setUpWebhooks(mgr)
+		server := mgr.GetWebhookServer()
+		if enableWebhookHTTP2 == "false" {
+			setupLog.Info("disabling http/2 on the webhook server")
+			server.TLSOpts = append(server.TLSOpts,
+				func(c *tls.Config) {
+					c.NextProtos = []string{"http/1.1"}
+				},
+			)
+		}
 	}
 
 	if err = (&controllers.SnapshotEnvironmentBindingReconciler{