mirror of
https://github.com/samsonjs/rack-attack.git
synced 2026-03-25 09:25:49 +00:00
03926e0b75
This commit mitigates rate limit bypasses in the configuration docs by normalizing the email throttle key. (The normalization process used is the same as used by the Clearance gem.) --- Often an authentication process normalizes email addresses and usernames before look up, say by downcasing and removing any whitespace. Throttles that do not perform the same normalization are vulnerable to rate limit bypasses. For example, an attacker can bypass a vulnerable throttle by using unlimited case and whitespace variants for the same email address: - Variant 1: `victim@example.org` - Variant 2: `victim@example. org` (one whitespace) - Variant 3: `victim@example. org` (two whitespaces) - Variant 4: `ViCtIm@eXaMpLe.org` - etc, etc. All of these variants resolve to the same email address, but allow an attacker to bypass a vulnerable throttle. To mitigate, the email throttle key should be normalized using the same logic the authentication process uses for normalizing emails. |
||
|---|---|---|
| .. | ||
| instrumentation.rb | ||
| rack_attack.rb | ||