mirror of
https://github.com/discourse/discourse.git
synced 2024-12-11 19:53:52 +08:00
2492fe7715
This commit patches `Net::HTTP` to reduce the default timeouts of 60 seconds when we are processing a request. There are certain routes in Discourse which makes external requests and if the proper timeouts are not set, we risk having the Unicorn master process force restarting the Unicorn workers once the `30` seconds timeout is reached. This can potentially become a vector for DoS attacks and this commit is aimed at reducing the risk here.
49 lines
1.6 KiB
Ruby
49 lines
1.6 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
RSpec.describe "Middleware order" do
|
|
let(:expected_middlewares) do
|
|
[
|
|
BlockRequestsMiddleware,
|
|
TestMultisiteMiddleware,
|
|
ActionDispatch::RemoteIp,
|
|
Middleware::RequestTracker,
|
|
MessageBus::Rack::Middleware,
|
|
Middleware::ProcessingRequest,
|
|
Rack::Sendfile,
|
|
ActionDispatch::Static,
|
|
ActionDispatch::Executor,
|
|
Rack::MethodOverride,
|
|
Middleware::EnforceHostname,
|
|
ActionDispatch::RequestId,
|
|
SilenceLogger,
|
|
ActionDispatch::ShowExceptions,
|
|
ActionDispatch::DebugExceptions,
|
|
ActionDispatch::Callbacks,
|
|
ActionDispatch::Cookies,
|
|
ActionDispatch::Session::DiscourseCookieStore,
|
|
Discourse::Cors,
|
|
ActionDispatch::Flash,
|
|
RspecErrorTracker,
|
|
Middleware::CspScriptNonceInjector,
|
|
Middleware::AnonymousCache,
|
|
ContentSecurityPolicy::Middleware,
|
|
ActionDispatch::PermissionsPolicy::Middleware,
|
|
Rack::Head,
|
|
Rack::ConditionalGet,
|
|
Rack::TempfileReaper,
|
|
Middleware::OmniauthBypassMiddleware,
|
|
]
|
|
end
|
|
let(:actual_middlewares) { Rails.configuration.middleware.middlewares }
|
|
let(:remote_ip_index) { actual_middlewares.index(ActionDispatch::RemoteIp) }
|
|
let(:request_tracker_index) { actual_middlewares.index(Middleware::RequestTracker) }
|
|
|
|
it "has the correct order of middlewares" do
|
|
expect(actual_middlewares).to eq(expected_middlewares)
|
|
end
|
|
|
|
it "ensures that ActionDispatch::RemoteIp comes before Middleware::RequestTracker" do
|
|
expect(remote_ip_index).to be < request_tracker_index
|
|
end
|
|
end
|