Merge commit from fork

Add test
# Conflicts:
#	dgraph/cmd/alpha/run.go

Author: matthewmcneely

dgraph/cmd/alpha/http_test.go

@@ -838,6 +838,26 @@ func TestHealth(t *testing.T) {
 	require.True(t, info[0].Uptime > int64(time.Duration(1)))
 }
 
+// TestPprofCmdlineNotExposed ensures that /debug/pprof/cmdline is not reachable
+// without authentication. The endpoint exposes the full process command line,
+// which may include the admin token passed via --security "token=...".
+// The other pprof sub-endpoints should remain accessible.
+func TestPprofCmdlineNotExposed(t *testing.T) {
+	// cmdline must be blocked — it leaks the admin token from process args.
+	resp, err := http.Get(fmt.Sprintf("%s/debug/pprof/cmdline", addr))
+	require.NoError(t, err)
+	defer resp.Body.Close()
+	require.Equal(t, http.StatusNotFound, resp.StatusCode,
+		"/debug/pprof/cmdline should return 404; got %d", resp.StatusCode)
+
+	// Sanity-check that other pprof endpoints are still reachable.
+	resp2, err := http.Get(fmt.Sprintf("%s/debug/pprof/heap", addr))
+	require.NoError(t, err)
+	defer resp2.Body.Close()
+	require.Equal(t, http.StatusOK, resp2.StatusCode,
+		"/debug/pprof/heap should return 200; got %d", resp2.StatusCode)
+}
+
 func setDrainingMode(t *testing.T, enable bool, accessJwt string) {
 	drainingRequest := `mutation drain($enable: Boolean) {
 		draining(enable: $enable) {

dgraph/cmd/alpha/run.go

@@ -586,7 +586,20 @@ func setupServer(closer *z.Closer) {
 	// Initialize the servers.
 	x.ServerCloser.AddRunning(3)
 	go serveGRPC(grpcListener, tlsCfg, x.ServerCloser)
-	go x.StartListenHttpAndHttps(httpListener, tlsCfg, x.ServerCloser)
+
+	// Block /debug/pprof/cmdline — importing net/http/pprof registers it on
+	// http.DefaultServeMux, but it exposes the full process command line which
+	// may include the admin token from --security "token=...".
+	serverHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/debug/pprof/cmdline" {
+			http.NotFound(w, r)
+			return
+		}
+		http.DefaultServeMux.ServeHTTP(w, r)
+	})
+	go x.StartListenHttpAndHttps(httpListener, tlsCfg, x.ServerCloser, serverHandler)
+
+	go x.StartListenHttpAndHttps(httpListener, tlsCfg, x.ServerCloser, serverHandler)
 
 	go func() {
 		defer x.ServerCloser.Done()

dgraph/cmd/zero/run.go

@@ -310,7 +310,7 @@ func run() {
 
 	tlsCfg, err := x.LoadServerTLSConfig(Zero.Conf)
 	x.Check(err)
-	go x.StartListenHttpAndHttps(httpListener, tlsCfg, st.zero.closer)
+	go x.StartListenHttpAndHttps(httpListener, tlsCfg, st.zero.closer, nil)
 
 	baseMux := http.NewServeMux()
 	http.Handle("/", audit.AuditRequestHttp(baseMux))

x/server.go

@@ -22,17 +22,17 @@ var (
 	ServerCloser = z.NewCloser(0)
 )
 
-func StartListenHttpAndHttps(l net.Listener, tlsCfg *tls.Config, closer *z.Closer) {
+func StartListenHttpAndHttps(l net.Listener, tlsCfg *tls.Config, closer *z.Closer, h http.Handler) {
 	defer closer.Done()
 	m := cmux.New(l)
-	startServers(m, tlsCfg)
+	startServers(m, tlsCfg, h)
 	err := m.Serve()
 	if err != nil {
 		glog.Errorf("error from cmux serve: %v", err)
 	}
 }
 
-func startServers(m cmux.CMux, tlsConf *tls.Config) {
+func startServers(m cmux.CMux, tlsConf *tls.Config, h http.Handler) {
 	httpRule := m.Match(func(r io.Reader) bool {
 		// no tls config is provided. http is being used.
 		if tlsConf == nil {
@@ -48,19 +48,20 @@ func startServers(m cmux.CMux, tlsConf *tls.Config) {
 		// monitoring tools which operate without authentication.
 		return strings.HasPrefix(path, "/health")
 	})
-	go startListen(httpRule)
+	go startListen(httpRule, h)
 
 	// if tls is enabled, make tls encryption based connections as default
 	if tlsConf != nil {
 		httpsRule := m.Match(cmux.Any())
 		// this is chained listener. tls listener will decrypt
 		// the message and send it in plain text to HTTP server
-		go startListen(tls.NewListener(httpsRule, tlsConf))
+		go startListen(tls.NewListener(httpsRule, tlsConf), h)
 	}
 }
 
-func startListen(l net.Listener) {
+func startListen(l net.Listener, h http.Handler) {
 	srv := &http.Server{
+		Handler:           h, // nil falls back to http.DefaultServeMux
 		ReadTimeout:       10 * time.Second,
 		WriteTimeout:      600 * time.Second,
 		IdleTimeout:       2 * time.Minute,