[tor-commits] [donate/master] Rate limit number of subscription requests
peterh at torproject.org
peterh at torproject.org
Wed Jun 10 22:48:37 UTC 2020
commit 60a1b33dfa3065e5a8c9d2f9df428860fb902408
Author: peterh <peterh at giantrabbit.com>
Date: Wed Jan 22 16:03:01 2020 -0800
Rate limit number of subscription requests
An attacker could use the /subscribe form to send tons of emails to
anyone's email address. We want to limit that so it doesn't cause
problem. This limits it to 10 emails per 6 hours. It's actually doing it
by rate, so once you hit the limit of 10, then you can send another one
about 36 minutes after that and keep sending one every 36 minutes.
Issue #44700
---
src/IpRateExceeded.php | 6 +++++
src/IpRateLimiter.php | 57 ++++++++++++++++++++++++++++++++++++++++++
src/SubscriptionController.php | 2 ++
src/dependencies.php | 4 +++
src/middleware.php | 1 +
src/settings.php | 4 +++
6 files changed, 74 insertions(+)
diff --git a/src/IpRateExceeded.php b/src/IpRateExceeded.php
new file mode 100644
index 00000000..8b778993
--- /dev/null
+++ b/src/IpRateExceeded.php
@@ -0,0 +1,6 @@
+<?php
+
+namespace Tor;
+
+class IpRateExceeded extends \Exception {
+}
diff --git a/src/IpRateLimiter.php b/src/IpRateLimiter.php
new file mode 100644
index 00000000..b14af3d3
--- /dev/null
+++ b/src/IpRateLimiter.php
@@ -0,0 +1,57 @@
+<?php
+
+namespace Tor;
+
+class IpRateLimiter {
+ public $redis;
+ public $environment_info;
+
+ public function __construct($container) {
+ $this->environment_info = $container->get('environment_info');
+ $this->logger = $container->get('logger');
+ $this->redis = \Resque::redis();
+ $this->settings = $container->get('settings')['ipRateLimiter'];
+ $this->maxRequestsPerTimeSpan = $this->settings['maxRequestsPerTimeSpan'];
+ $this->timeSpan = $this->settings['timeSpan'];
+ }
+
+ function check($request) {
+ $keyName = $this->keyName($request);
+ list($allowance, $lastCheck) = $this->getIpData($keyName);
+ $now = time();
+ $timePassed = $now - $lastCheck;
+ $allowanceAdjustment = $timePassed * $this->maxRequestsPerTimeSpan / $this->timeSpan;
+ $allowance += $allowanceAdjustment;
+ if ($allowance < 1) {
+ $this->setIpData($keyName, $allowance, $now);
+ $ipAddress = $request->getAttribute('ip_address');
+ throw new IpRateExceeded("There have been more than {$this->maxRequestsPerTimeSpan} requests from $ipAddress in the last {$this->timeSpan} seconds.");
+ }
+ $allowance -= 1;
+ $this->setIpData($keyName, $allowance, $now);
+ }
+
+ function getIpData($keyName) {
+ $data = $this->redis->get($keyName);
+ if (is_null($data)) {
+ return [$this->maxRequestsPerTimeSpan, time()];
+ }
+ $struct = unserialize($data, ['allowed_classes', FALSE]);
+ if ($struct === FALSE) {
+ $this->logger->debug("Bap\n!");
+ return [$this->maxRequestsPerTimeSpan, time()];
+ }
+ return unserialize($data);
+ }
+
+ function keyName($request) {
+ $ipAddress = $request->getAttribute('ip_address');
+ return $this->environment_info->name() . "_rate_limiter_$ipAddress";
+ }
+
+ function setIpData($keyName, $allowance, $lastCheck) {
+ $data = serialize([$allowance, $lastCheck]);
+ $this->redis->set($keyName, $data);
+ $this->redis->expire($keyName, $this->timeSpan);
+ }
+}
diff --git a/src/SubscriptionController.php b/src/SubscriptionController.php
index d403d77e..6aa60707 100644
--- a/src/SubscriptionController.php
+++ b/src/SubscriptionController.php
@@ -60,6 +60,8 @@ class SubscriptionController extends BaseController {
}
public function subscriptionRequest($request, $response, $args) {
+ $ipRateLimiter = $this->container->get('ipRateLimiter');
+ $ipRateLimiter->check($request);
$this->vars['bodyClasses'] = array('subscribe');
$parsedBody = $request->getParsedBody();
$fieldValidationRules = array(
diff --git a/src/dependencies.php b/src/dependencies.php
index 68cd24d0..65058873 100644
--- a/src/dependencies.php
+++ b/src/dependencies.php
@@ -67,6 +67,10 @@ $container['errorHandler'] = function($container) {
return $error_handler;
};
+$container['ipRateLimiter'] = function($container) {
+ return new \Tor\IpRateLimiter($container);
+};
+
$settings = $container->get('settings');
$settings['redis'] = [
'host' => 'localhost',
diff --git a/src/middleware.php b/src/middleware.php
index d0f7da59..a2c120df 100644
--- a/src/middleware.php
+++ b/src/middleware.php
@@ -3,3 +3,4 @@
// e.g: $app->add(new \Slim\Csrf\Guard);
$app->add(new \Tor\I18nMiddleware($app));
+$app->add(new RKA\Middleware\IpAddress());
diff --git a/src/settings.php b/src/settings.php
index 04934131..c615f9c1 100644
--- a/src/settings.php
+++ b/src/settings.php
@@ -6,6 +6,10 @@ $config = [
'settings' => [
'displayErrorDetails' => true,
'addContentLengthHeader' => false,
+ 'ipRateLimiter' => [
+ 'maxRequestsPerTimeSpan' => 10,
+ 'timeSpan' => 21600,
+ ],
'renderer' => [
'cache_path' => __DIR__ . '/../tmp/cache/templates',
'template_path' => __DIR__ . '/../templates/',
More information about the tor-commits
mailing list