sjs/rack-attack
1
0
Fork 0
mirror of https://github.com/samsonjs/rack-attack.git synced 2026-03-25 09:25:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
rack-attack/examples/rack_attack.rb
Eliot Sykes 1cd4a1cd79
Mitigate login throttle bypasses in docs 
This commit mitigates rate limit bypasses in the configuration
docs by normalizing the email throttle key. (The normalization process
used is the same as used by the Clearance gem.)

---

Often an authentication process normalizes email addresses and usernames
before look up, say by downcasing and removing any whitespace.

Throttles that do not perform the same normalization are vulnerable
to rate limit bypasses.

For example, an attacker can bypass a vulnerable throttle by using
unlimited case and whitespace variants for the same email address:

- Variant 1: `victim@example.org`
- Variant 2: `victim@example. org` (one whitespace)
- Variant 3: `victim@example.  org` (two whitespaces)
- Variant 4: `ViCtIm@eXaMpLe.org`
- etc, etc.

All of these variants resolve to the same email address, but allow
an attacker to bypass a vulnerable throttle. To mitigate, the email
throttle key should be normalized using the same logic the
authentication process uses for normalizing emails.

(cherry picked from commit 03926e0b75)
2021-01-23 13:55:47 -03:00

30 lines
1.1 KiB
Ruby
Raw Blame History

# frozen_string_literal: true
# NB: `req` is a Rack::Request object (basically an env hash with friendly accessor methods)
# Throttle 10 requests/ip/second
# NB: return value of block is key name for counter
# falsy values bypass throttling
Rack::Attack.throttle("req/ip", limit: 10, period: 1) { |req| req.ip }
# Throttle attempts to a particular path. 2 POSTs to /login per second per IP
Rack::Attack.throttle "logins/ip", limit: 2, period: 1 do |req|
req.post? && req.path == "/login" && req.ip
end
# Throttle login attempts per email, 10/minute/email
# Normalize the email, using the same logic as your authentication process, to
# protect against rate limit bypasses.
Rack::Attack.throttle "logins/email", limit: 2, period: 60 do |req|
req.post? && req.path == "/login" && req.params['email'].to_s.downcase.gsub(/\s+/, "")
end
# blocklist bad IPs from accessing admin pages
Rack::Attack.blocklist "bad_ips from logging in" do |req|
req.path =~ /^\/admin/ && bad_ips.include?(req.ip)
end
# safelist a User-Agent
Rack::Attack.safelist 'internal user agent' do |req|
req.user_agent == 'InternalUserAgent'
end
Reference in a new issue View git blame Copy permalink