Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rate-limit PPMS lookup to curb abuse (REDUX) #7673

Merged
merged 5 commits into from
Aug 18, 2021
Merged

rate-limit PPMS lookup to curb abuse (REDUX) #7673

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
8642d6b
rate-limit PPMS lookup to curb abuse
f1337 Aug 17, 2021
759ac3b
throttle Facility Locator by *remote_ip*, not *ip*
f1337 Aug 17, 2021
576b34d
test fixes for Facility Locator throttle
f1337 Aug 18, 2021
8b075e2
rubocop
LindseySaari Aug 18, 2021
ba2c16b
pay rubocop toll twice
f1337 Aug 18, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions config/initializers/rack_attack.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,13 @@
# frozen_string_literal: true

class Rack::Attack
# we're behind a load balancer and/or proxy, which is what request.ip returns
class Request < ::Rack::Request
def remote_ip
@remote_ip ||= (env['X-Real-Ip'] || ip).to_s
end
end

# .to_h because hashes from config_for don't support non-symbol keys
redis_options = REDIS_CONFIG[:redis].to_h
Rack::Attack.cache.store = Rack::Attack::StoreProxy::RedisStoreProxy.new(Redis.new(redis_options))
Expand All @@ -9,6 +16,13 @@ class Rack::Attack
req.ip if req.path == '/v0/limited'
end

# Rate-limit PPMS lookup, in order to bore abusers.
# See https://github.com/department-of-veterans-affairs/va.gov-team-sensitive/blob/master/Postmortems/2021-08-16-facility-locator-possible-DOS.md
# for details.
throttle('facility_locator/ip', limit: 3, period: 1.minute) do |req|
req.remote_ip if req.path == '/facilities_api/v1/ccp/provider'
end

throttle('vic_profile_photos_download/ip', limit: 8, period: 5.minutes) do |req|
req.ip if req.path == '/v0/vic/profile_photo_attachments' && req.get?
end
Expand Down
31 changes: 31 additions & 0 deletions spec/middleware/rack/attack_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,37 @@ def app
end
end

describe 'facility_locator/ip' do
let(:endpoint) { '/facilities_api/v1/ccp/provider' }
let(:headers) { { 'X-Real-Ip' => '1.2.3.4' } }
let(:limit) { 3 }
LindseySaari marked this conversation as resolved.
Show resolved Hide resolved

before do
limit.times do
get endpoint, nil, headers # rubocop:disable Rails/HttpPositionalArguments
expect(last_response.status).not_to eq(429)
end

get endpoint, nil, other_headers # rubocop:disable Rails/HttpPositionalArguments
end

context 'response status for repeated requests from the same IP' do
let(:other_headers) { headers }

it 'limits requests' do
expect(last_response.status).to eq(429)
end
end

context 'response status for request from different IP' do
let(:other_headers) { { 'X-Real-Ip' => '4.3.2.1' } }

it 'limits requests' do
expect(last_response.status).not_to eq(429)
end
end
end

describe 'vic rate-limits', run_at: 'Thu, 26 Dec 2015 15:54:20 GMT' do
before do
limit.times do
Expand Down