mirror of
https://github.com/mastodon/mastodon.git
synced 2024-08-20 21:08:15 -07:00
Merge pull request from GHSA-q3rg-xx5v-4mxh
This commit is contained in:
parent
3ea4275ae3
commit
16249946ae
2 changed files with 38 additions and 3 deletions
|
@ -30,13 +30,17 @@ class Rack::Attack
|
|||
end
|
||||
|
||||
def authenticated_user_id
|
||||
authenticated_token&.resource_owner_id
|
||||
authenticated_token&.resource_owner_id || warden_user_id
|
||||
end
|
||||
|
||||
def authenticated_token_id
|
||||
authenticated_token&.id
|
||||
end
|
||||
|
||||
def warden_user_id
|
||||
@env['warden']&.user&.id
|
||||
end
|
||||
|
||||
def unauthenticated?
|
||||
!authenticated_user_id
|
||||
end
|
||||
|
@ -141,6 +145,10 @@ class Rack::Attack
|
|||
req.session[:attempt_user_id] || req.params.dig('user', 'email').presence if req.post? && req.path_matches?('/auth/sign_in')
|
||||
end
|
||||
|
||||
throttle('throttle_password_change/account', limit: 10, period: 10.minutes) do |req|
|
||||
req.authenticated_user_id if req.put? || (req.patch? && req.path_matches?('/auth'))
|
||||
end
|
||||
|
||||
self.throttled_responder = lambda do |request|
|
||||
now = Time.now.utc
|
||||
match_data = request.env['rack.attack.match_data']
|
||||
|
|
|
@ -56,7 +56,7 @@ describe Rack::Attack, type: :request do
|
|||
end
|
||||
|
||||
def throttle_count
|
||||
described_class.cache.read("#{counter_prefix}:#{throttle}:#{remote_ip}") || 0
|
||||
described_class.cache.read("#{counter_prefix}:#{throttle}:#{discriminator}") || 0
|
||||
end
|
||||
|
||||
def counter_prefix
|
||||
|
@ -64,11 +64,12 @@ describe Rack::Attack, type: :request do
|
|||
end
|
||||
|
||||
def increment_counter
|
||||
described_class.cache.count("#{throttle}:#{remote_ip}", period)
|
||||
described_class.cache.count("#{throttle}:#{discriminator}", period)
|
||||
end
|
||||
end
|
||||
|
||||
let(:remote_ip) { '1.2.3.5' }
|
||||
let(:discriminator) { remote_ip }
|
||||
|
||||
describe 'throttle excessive sign-up requests by IP address' do
|
||||
context 'when accessed through the website' do
|
||||
|
@ -149,4 +150,30 @@ describe Rack::Attack, type: :request do
|
|||
|
||||
it_behaves_like 'throttled endpoint'
|
||||
end
|
||||
|
||||
describe 'throttle excessive password change requests by account' do
|
||||
let(:user) { Fabricate(:user, email: 'user@host.example') }
|
||||
let(:throttle) { 'throttle_password_change/account' }
|
||||
let(:limit) { 10 }
|
||||
let(:period) { 10.minutes }
|
||||
let(:request) { -> { put path, headers: { 'REMOTE_ADDR' => remote_ip } } }
|
||||
let(:path) { '/auth' }
|
||||
let(:discriminator) { user.id }
|
||||
|
||||
before do
|
||||
sign_in user, scope: :user
|
||||
|
||||
# Unfortunately, devise's `sign_in` helper causes the `session` to be
|
||||
# loaded in the next request regardless of whether it's actually accessed
|
||||
# by the client code.
|
||||
#
|
||||
# So, we make an extra query to clear issue a session cookie instead.
|
||||
#
|
||||
# A less resource-intensive way to deal with that would be to generate the
|
||||
# session cookie manually, but this seems pretty involved.
|
||||
get '/'
|
||||
end
|
||||
|
||||
it_behaves_like 'throttled endpoint'
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue