Home Explore Help
Sign In
SMusatov
/
zammad
mirror of https://github.com/zammad/zammad.git
1
0
Fork 0
Files
Branch: stable-5.4
Branches Tags
zammad
/
config
/
initializers
/
rack_attack.rb

rack_attack.rb 2.2 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556 
  1. # Copyright (C) 2012-2023 Zammad Foundation, https://zammad-foundation.org/
    2. 

  2. 

  3. #
    4. 

  4. # Throttle password reset requests
    5. 

  5. #
    6. 

  6. API_V1_USERS__PASSWORD_RESET_PATH = '/api/v1/users/password_reset'.freeze
    7. 

  7. Rack::Attack.throttle('limit password reset requests per username', limit: 3, period: 1.minute.to_i) do |req|
    8. 

  8.   if req.path.start_with?(API_V1_USERS__PASSWORD_RESET_PATH) && req.post?
    9. 

  9.     # Normalize to protect against rate limit bypasses.
    10. 

  10.     req.params['username'].to_s.downcase.gsub(%r{\s+}, '')
    11. 

  11.   end
    12. 

  12. end
    13. 

  13. Rack::Attack.throttle('limit password reset requests per source IP address', limit: 3, period: 1.minute.to_i) do |req|
    14. 

  14.   if req.path.start_with?(API_V1_USERS__PASSWORD_RESET_PATH) && req.post?
    15. 

  15.     req.ip
    16. 

  16.   end
    17. 

  17. end
    18. 

  18. 

  19. #
    20. 

  20. # Throttle admin auth requests
    21. 

  21. #
    22. 

  22. API_V1_USERS__ADMIN_PASSWORD_AUTH_PATH = '/api/v1/users/admin_password_auth'.freeze
    23. 

  23. Rack::Attack.throttle('limit admi auth requests per username', limit: 3, period: 1.minute.to_i) do |req|
    24. 

  24.   if req.path.start_with?(API_V1_USERS__ADMIN_PASSWORD_AUTH_PATH) && req.post?
    25. 

  25.     # Normalize to protect against rate limit bypasses.
    26. 

  26.     req.params['username'].to_s.downcase.gsub(%r{\s+}, '')
    27. 

  27.   end
    28. 

  28. end
    29. 

  29. Rack::Attack.throttle('limit admin requests per source IP address', limit: 3, period: 1.minute.to_i) do |req|
    30. 

  30.   if req.path.start_with?(API_V1_USERS__ADMIN_PASSWORD_AUTH_PATH) && req.post?
    31. 

  31.     req.ip
    32. 

  32.   end
    33. 

  33. end
    34. 

  34. 

  35. #
    36. 

  36. # Throttle form submit requests
    37. 

  37. #
    38. 

  38. API_V1_FORM_SUBMIT_PATH = '/api/v1/form_submit'.freeze
    39. 

  39. form_limit_by_ip_per_hour_proc = proc { Setting.get('form_ticket_create_by_ip_per_hour') || 20 }
    40. 

  40. Rack::Attack.throttle('form submits per IP and hour', limit: form_limit_by_ip_per_hour_proc, period: 1.hour.to_i) do |req|
    41. 

  41.   if req.path.start_with?(API_V1_FORM_SUBMIT_PATH)
    42. 

  42.     req.ip
    43. 

  43.   end
    44. 

  44. end
    45. 

  45. form_limit_by_ip_per_day_proc = proc { Setting.get('form_ticket_create_by_ip_per_day') || 240 }
    46. 

  46. Rack::Attack.throttle('form submits per IP and day', limit: form_limit_by_ip_per_day_proc, period: 1.day.to_i) do |req|
    47. 

  47.   if req.path.start_with?(API_V1_FORM_SUBMIT_PATH)
    48. 

  48.     req.ip
    49. 

  49.   end
    50. 

  50. end
    51. 

  51. form_limit_per_day_proc = proc { Setting.get('form_ticket_create_per_day') || 5000 }
    52. 

  52. Rack::Attack.throttle('form submits per day', limit: form_limit_per_day_proc, period: 1.day.to_i) do |req|
    53. 

  53.   if req.path.start_with?(API_V1_FORM_SUBMIT_PATH)
    54. 

  54.     req.path
    55. 

  55.   end
    56. 

  56. end
    57.