Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Routes has no rate-limiting #139

Closed
christian-hawk opened this issue Nov 12, 2020 · 3 comments · Fixed by #163
Closed

Routes has no rate-limiting #139

christian-hawk opened this issue Nov 12, 2020 · 3 comments · Fixed by #163
Assignees
@kdhttps
Labels
high-priority Needs Documentation Issue that requires documentation to be added in Gluu docs security

Comments

@christian-hawk
Copy link
Contributor

HTTP request handlers should not perform expensive operations such as accessing the file system, executing an operating system command or interacting with a database without limiting the rate at which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks where an attacker can cause the application to crash or become unresponsive by issuing a large number of requests at the same time.

suggestion: express-rate-limit package.

Please check security tab.
@kdhttps
Copy link
Contributor

kdhttps commented Nov 16, 2020

express-rate-limit is good. we can use it. It limits per IP the number of max request and time
Example:

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100 // limit each IP to 100 requests per windowMs
});

so for max and windowMs values configuration, we have two ways first it to hard code and configurable.
Ofcourse configurable is best option, for that we have to add configuration option in oxTrust Passport > Basic Configuration

@christian-hawk @jgomer2001 let me know what you think about this all?

also if you are agree with this all then are we going to add this feature in Gluu 4.2.x or Gluu 5.0?

@christian-hawk
Copy link
Contributor Author

christian-hawk commented Nov 16, 2020
edited
Loading

Good. It's a security fix for CVE-307, CVE-400 and CVE-770, the context here is a fix rather then a feat.
As we cannot impact on oxTrust right now, we will need to start hardcoding and documenting how to change the values.
So, fix for 4.2

@kdhttps kdhttps added the Needs Documentation Issue that requires documentation to be added in Gluu docs label Nov 17, 2020
@christian-hawk
Copy link
Contributor Author

@kdhttps you can talk to @shmorri to submit PR to documentation repo after the code PR merged

kdhttps added a commit that referenced this issue Nov 23, 2020
@kdhttps
feat(app-factory.js): added rate-limiting facility
152b4b8 
used express-rate-limit package, currently fetching configurations from production.js file

feat #139
@kdhttps kdhttps mentioned this issue Nov 23, 2020
Merged
kdhttps added a commit that referenced this issue Nov 23, 2020
@kdhttps
feat(app-factory.js): added rate-limiting facility
51dbe48 
used express-rate-limit package, currently fetching configurations from production.js file

feat #139
kdhttps added a commit that referenced this issue Nov 25, 2020
@kdhttps
feat(app-factory.js): added rate-limiting facility
29669de 
used express-rate-limit package, currently fetching configurations from production.js file

feat #139
kdhttps added a commit that referenced this issue Nov 30, 2020
@kdhttps
feat(app-factory.js): added rate-limiting facility
d2b320a 
used express-rate-limit package, currently fetching configurations from production.js file

feat #139
kdhttps added a commit that referenced this issue Dec 2, 2020
@kdhttps
feat(app-factory.js): added rate-limiting facility
51b6ba3 
used express-rate-limit package, currently fetching configurations from production.js file

feat #139
kdhttps added a commit that referenced this issue Dec 11, 2020
@kdhttps
refactor: updated test cases and review fixes
87eaa3b 
re #139
kdhttps added a commit that referenced this issue Dec 16, 2020
@kdhttps
refactor: updated test cases to run with dynamic scenarios
6431061 
re #139
kdhttps added a commit that referenced this issue Dec 17, 2020
@kdhttps
refactor: updated test cases to run with dynamic scenarios
adf0371 
re #139
kdhttps added a commit that referenced this issue Dec 17, 2020
@kdhttps
refactor: updated test cases to run with dynamic scenarios
0005a8c 
re #139
kdhttps added a commit that referenced this issue Dec 17, 2020
@kdhttps
refactor: updated test cases to run with dynamic scenarios
6210dca 
re #139
kdhttps added a commit that referenced this issue Jan 12, 2021
@kdhttps
test(steps.js): updated cucumber-js and used BeforeStep and AfterStep…
8783b41 
… hooks

test #139
kdhttps added a commit that referenced this issue Jan 12, 2021
@kdhttps
refactor: refactor test cases to remove duplication
3ef9db3 
re #139
kdhttps added a commit that referenced this issue Jan 12, 2021
@kdhttps
refactor: refactor test cases to remove duplication
b9b103f 
re #139
kdhttps added a commit to kdhttps/docs-gluu-server-prod that referenced this issue Feb 2, 2021
@kdhttps
added configuration details about rate-limiting for gluu-passport Glu…
4fa0e9f 
…uFederation/gluu-passport#139
kdhttps added a commit to GluuFederation/docs-gluu-server-prod that referenced this issue Feb 2, 2021
@kdhttps
Added configuration details about rate-limiting for gluu-passport Glu…
1cd40f5 
…uFederation/gluu-passport#139
@kdhttps kdhttps mentioned this issue Feb 2, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kdhttps kdhttps

Labels
high-priority Needs Documentation Issue that requires documentation to be added in Gluu docs security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added rate-limiting facility GluuFederation/gluu-passport
2 participants
@kdhttps @christian-hawk