SECURITY: do cookie auth rate limiting earlier

This commit is contained in:
Sam 2016-08-09 10:02:18 +10:00
parent 1acef41e51
commit 0b5c3f5a03
2 changed files with 16 additions and 2 deletions

View File

@ -38,14 +38,18 @@ class Auth::DefaultCurrentUserProvider
current_user = nil current_user = nil
if auth_token && auth_token.length == 32 if auth_token && auth_token.length == 32
limiter = RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN ,60)
if limiter.can_perform?
current_user = User.where(auth_token: auth_token) current_user = User.where(auth_token: auth_token)
.where('auth_token_updated_at IS NULL OR auth_token_updated_at > ?', .where('auth_token_updated_at IS NULL OR auth_token_updated_at > ?',
SiteSetting.maximum_session_age.hours.ago) SiteSetting.maximum_session_age.hours.ago)
.first .first
end
unless current_user unless current_user
begin begin
RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN ,60).performed! limiter.performed!
rescue RateLimiter::LimitExceeded rescue RateLimiter::LimitExceeded
raise Discourse::InvalidAccess raise Discourse::InvalidAccess
end end

View File

@ -86,6 +86,10 @@ describe Auth::DefaultCurrentUserProvider do
end end
it "can only try 10 bad cookies a minute" do it "can only try 10 bad cookies a minute" do
user = Fabricate(:user)
provider('/').log_on_user(user, {}, {})
RateLimiter.stubs(:disabled?).returns(false) RateLimiter.stubs(:disabled?).returns(false)
RateLimiter.new(nil, "cookie_auth_10.0.0.1", 10, 60).clear! RateLimiter.new(nil, "cookie_auth_10.0.0.1", 10, 60).clear!
@ -97,10 +101,16 @@ describe Auth::DefaultCurrentUserProvider do
10.times do 10.times do
provider('/', env).current_user provider('/', env).current_user
end end
expect { expect {
provider('/', env).current_user provider('/', env).current_user
}.to raise_error(Discourse::InvalidAccess) }.to raise_error(Discourse::InvalidAccess)
expect {
env["HTTP_COOKIE"] = "_t=#{user.auth_token}"
provider("/", env).current_user
}.to raise_error(Discourse::InvalidAccess)
env["REMOTE_ADDR"] = "10.0.0.2" env["REMOTE_ADDR"] = "10.0.0.2"
provider('/', env).current_user provider('/', env).current_user
end end