sjs/rack-attack
1
0
Fork 0
mirror of https://github.com/samsonjs/rack-attack.git synced 2026-04-27 15:07:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #493 from eliotsykes/mitigate-throttle-bypass-in-docs

Browse source 
Mitigate login throttle bypasses in docs
This commit is contained in:
Gonzalo Rodriguez 2020-08-01 17:04:47 -03:00 committed by GitHub
commit 6d1bc9b617
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 11 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -258,10 +258,12 @@ Rack::Attack.throttle("requests by ip", limit: 5, period: 2) do |request|
end end
# Throttle login attempts for a given email parameter to 6 reqs/minute # Throttle login attempts for a given email parameter to 6 reqs/minute
# Return the email as a discriminator on POST /login requests # Return the *normalized* email as a discriminator on POST /login requests
Rack::Attack.throttle('limit logins per email', limit: 6, period: 60) do |req| Rack::Attack.throttle('limit logins per email', limit: 6, period: 60) do |req|
if req.path == '/login' && req.post? if req.path == '/login' && req.post?
req.params['email'] # Normalize the email, using the same logic as your authentication process, to
# protect against rate limit bypasses.
req.params['email'].to_s.downcase.gsub(/\s+/, "")
end end
end end

7
docs/example_configuration.md
View file

@ -53,7 +53,7 @@ class Rack::Attack
# Throttle POST requests to /login by email param # Throttle POST requests to /login by email param
# #
# Key: "rack::attack:#{Time.now.to_i/:period}:logins/email:#{req.email}" # Key: "rack::attack:#{Time.now.to_i/:period}:logins/email:#{normalized_email}"
# #
# Note: This creates a problem where a malicious user could intentionally # Note: This creates a problem where a malicious user could intentionally
# throttle logins for another user and force their login requests to be # throttle logins for another user and force their login requests to be
@ -61,8 +61,9 @@ class Rack::Attack
# on wood!) # on wood!)
throttle("logins/email", limit: 5, period: 20.seconds) do |req| throttle("logins/email", limit: 5, period: 20.seconds) do |req|
if req.path == '/login' && req.post? if req.path == '/login' && req.post?
# return the email if present, nil otherwise # Normalize the email, using the same logic as your authentication process, to
req.params['email'].presence # protect against rate limit bypasses. Return the normalized email if present, nil otherwise.
req.params['email'].to_s.downcase.gsub(/\s+/, "").presence
end end
end end

4
examples/rack_attack.rb
View file

@ -13,8 +13,10 @@ Rack::Attack.throttle "logins/ip", limit: 2, period: 1 do |req|
end end
# Throttle login attempts per email, 10/minute/email # Throttle login attempts per email, 10/minute/email
# Normalize the email, using the same logic as your authentication process, to
# protect against rate limit bypasses.
Rack::Attack.throttle "logins/email", limit: 2, period: 60 do |req| Rack::Attack.throttle "logins/email", limit: 2, period: 60 do |req|
req.post? && req.path == "/login" && req.params['email'] req.post? && req.path == "/login" && req.params['email'].to_s.downcase.gsub(/\s+/, "")
end end
# blocklist bad IPs from accessing admin pages # blocklist bad IPs from accessing admin pages