github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-17 01:12:45 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Add rate limits for uploads

Browse Source
This commit is contained in:
Alan Guo Xiang Tan 2024-02-07 12:55:36 +08:00 committed by Nat
parent 819361ba28
commit 003b80e62f
No known key found for this signature in database
GPG Key ID: 4938B35D927EC773
3 changed files with 36 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/controllers/uploads_controller.rb
View File

@ -25,6 +25,13 @@ class UploadsController < ApplicationController
# capture current user for block later on # capture current user for block later on
me = current_user me = current_user
RateLimiter.new(
current_user,
"uploads-per-minute",
SiteSetting.max_uploads_per_minute,
1.minute.to_i,
).performed!
params.permit(:type, :upload_type) params.permit(:type, :upload_type)
raise Discourse::InvalidParameters if params[:type].blank? && params[:upload_type].blank? raise Discourse::InvalidParameters if params[:type].blank? && params[:upload_type].blank?
# 50 characters ought to be enough for the upload type # 50 characters ought to be enough for the upload type

3
config/site_settings.yml
View File

@ -2228,6 +2228,9 @@ rate_limits:
max_complete_multipart_per_minute: max_complete_multipart_per_minute:
default: 10 default: 10
hidden: true hidden: true
max_uploads_per_minute:
default: 10
hidden: true
developer: developer:
force_hostname: force_hostname:

26
spec/requests/uploads_controller_spec.rb
View File

@ -19,6 +19,32 @@ RSpec.describe UploadsController do
let(:fake_jpg) { Rack::Test::UploadedFile.new(file_from_fixtures("fake.jpg")) } let(:fake_jpg) { Rack::Test::UploadedFile.new(file_from_fixtures("fake.jpg")) }
let(:text_file) { Rack::Test::UploadedFile.new(File.new("#{Rails.root}/LICENSE.txt")) } let(:text_file) { Rack::Test::UploadedFile.new(File.new("#{Rails.root}/LICENSE.txt")) }
context "when rate limited" do
before { RateLimiter.enable }
use_redis_snapshotting
it "should return 429 response code when maximum number of uploads per minute has been exceeded for a user" do
SiteSetting.max_uploads_per_minute = 1
post "/uploads.json",
params: {
file: Rack::Test::UploadedFile.new(logo_file),
type: "avatar",
}
expect(response.status).to eq(200)
post "/uploads.json",
params: {
file: Rack::Test::UploadedFile.new(logo_file),
type: "avatar",
}
expect(response.status).to eq(429)
end
end
it "expects a type or upload_type" do it "expects a type or upload_type" do
post "/uploads.json", params: { file: logo } post "/uploads.json", params: { file: logo }
expect(response.status).to eq(400) expect(response.status).to eq(400)