SECURITY: add rate limiting to anon JS error reporting

This adds a 1 minute rate limit to all JS error reporting per IP. Previously
we would only use the global rate limit.

This also introduces DISCOURSE_ENABLE_JS_ERROR_REPORTING, if it is set to
false then no JS error reporting will be allowed on the site.
This commit is contained in:
Sam Saffron 2019-08-20 11:31:58 +10:00
parent aea541d037
commit 6477531098
5 changed files with 9 additions and 1 deletions

View File

@ -167,7 +167,7 @@ GEM
logstash-event (1.2.02)
logstash-logger (0.26.1)
logstash-event (~> 1.2)
logster (2.3.0)
logster (2.3.2)
loofah (2.2.3)
crass (~> 1.0.2)
nokogiri (>= 1.5.9)

View File

@ -12,6 +12,9 @@
var setupData = document.getElementById("data-discourse-setup").dataset;
window.Logster = window.Logster || {};
window.Logster.enabled = setupData.enableJsErrorReporting === "true";
Discourse.CDN = setupData.cdn;
Discourse.BaseUrl = setupData.baseUrl;
Discourse.BaseUri = setupData.baseUri;

View File

@ -469,6 +469,7 @@ module ApplicationHelper
disable_custom_css: loading_admin?,
highlight_js_path: HighlightJs.path,
svg_sprite_path: SvgSprite.path(theme_ids),
enable_js_error_reporting: GlobalSetting.enable_js_error_reporting,
}
if Rails.env.development?

View File

@ -249,3 +249,6 @@ maxmind_backup_path =
# X-Queue-Time: 1.01
enable_performance_http_headers = false
# gather JavaScript errors from clients (rate limited to 1 error per IP per minute)
enable_js_error_reporting = true

View File

@ -104,6 +104,7 @@ Logster.config.subdirectory = "#{GlobalSetting.relative_url_root}/logs"
Logster.config.application_version = Discourse.git_version
Logster.config.enable_custom_patterns_via_ui = true
Logster.config.enable_js_error_reporting = GlobalSetting.enable_js_error_reporting
store = Logster.store
redis = Logster.store.redis