From 8c192559fee9c899cfd16933b10a33943fa54ccc Mon Sep 17 00:00:00 2001 From: Sojan Jose Date: Thu, 7 Oct 2021 18:06:43 +0530 Subject: [PATCH] chore: Rate limits on widget conversation endpoints (#3162) - Limit widget conversation creation to 6 per 12 hours - Enable rack attack by default --- .env.example | 2 +- config/initializers/rack_attack.rb | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/.env.example b/.env.example index dd4052f69..ade61ba74 100644 --- a/.env.example +++ b/.env.example @@ -169,7 +169,7 @@ USE_INBOX_AVATAR_FOR_BOT=true ## Rack Attack configuration ## To prevent and throttle abusive requests -# ENABLE_RACK_ATTACK=false +# ENABLE_RACK_ATTACK=true ## Running chatwoot as an API only server diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb index 1e1aa9cf8..acbf7e138 100644 --- a/config/initializers/rack_attack.rb +++ b/config/initializers/rack_attack.rb @@ -52,6 +52,16 @@ class Rack::Attack req.ip if req.path == '/api/v1/accounts' && req.post? end + ## Prevent Conversation Bombing on Widget APIs ### + throttle('api/v1/widget/conversations', limit: 6, period: 12.hours) do |req| + req.ip if req.path == '/api/v1/widget/conversations' && req.post? + end + + ## Prevent Contact update Bombing in Widget API ### + throttle('api/v1/widget/contacts', limit: 60, period: 1.hour) do |req| + req.ip if req.path == '/api/v1/widget/contacts' && (req.patch? || req.put?) + end + # ref: https://github.com/rack/rack-attack/issues/399 throttle('login/email', limit: 20, period: 5.minutes) do |req| if req.path == '/auth/sign_in' && req.post? @@ -75,4 +85,4 @@ ActiveSupport::Notifications.subscribe('throttle.rack_attack') do |_name, _start Rails.logger.info "[Rack::Attack][Blocked] remote_ip: \"#{payload[:request].remote_ip}\", path: \"#{payload[:request].path}\"" end -Rack::Attack.enabled = ActiveModel::Type::Boolean.new.cast(ENV.fetch('ENABLE_RACK_ATTACK', false)) +Rack::Attack.enabled = ActiveModel::Type::Boolean.new.cast(ENV.fetch('ENABLE_RACK_ATTACK', true))