Jeremy Kescher
084cfb7d6c
Merge branch 'refs/heads/glitch' into develop
2024-08-11 19:09:56 +02:00
Claire
eaedd52def
Fix incorrect rate limit on PUT requests ( #31356 )
2024-08-09 14:48:05 +00:00
Jeremy Kescher
cb080ca3ef
Bump version to v4.3.0-alpha.4+glitch+cat+1.0.0
2024-05-30 18:51:42 +02:00
Claire
73a78cc19d
Fix rate-limiting incorrectly triggering a session cookie on most endpoints ( #30483 )
2024-05-30 12:56:18 +00:00
Claire
3fa0dd0b88
Merge pull request from GHSA-c2r5-cfqr-c553
...
* Add hardening monkey-patch to prevent IP spoofing on misconfigured installations
* Remove rack-attack safelist
2024-05-30 14:24:29 +02:00
Claire
16249946ae
Merge pull request from GHSA-q3rg-xx5v-4mxh
2024-05-30 14:14:04 +02:00
Emelia Smith
d20a5c3ec9
Fix: remove broken OAuth Application vacuuming & throttle OAuth Application registrations ( #30316 )
...
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2024-05-29 14:00:05 +00:00
Jeremy Kescher
e73c612cb1
Merge branch 'refs/heads/glitch-soc' into develop
2024-05-11 23:31:31 +02:00
Matt Jankowski
933189887b
Fix Style/StringLiterals
cop ( #30005 )
2024-04-19 20:33:00 +00:00
Jeremy Kescher
5be3fb3d66
Merge remote-tracking branch 'essem/feature/emoji-reactions' into merge/emoji-reactions
2024-01-02 12:16:35 +01:00
Nick Schonning
85db392464
Autofix Rubocop cops for config/ ( #24145 )
2023-10-03 15:24:12 +02:00
Matt Jankowski
2e1391fdd2
Fix Naming/MemoizedInstanceVariableName
cop ( #25928 )
2023-07-12 10:08:51 +02:00
Local User
0527458f38
Merge branch 'upstream/main' into develop
2023-07-07 01:25:26 +02:00
Nick Schonning
c66250abf1
Autofix Rubocop Regex Style rules ( #23690 )
...
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2023-06-06 14:50:51 +02:00
Jeremy Kescher
4920ccb302
Merge remote-tracking branch 'upstream/main' into develop
2023-05-27 12:23:36 +02:00
Nick Schonning
cee4369cf5
Autofix Rubocop Lint/AmbiguousOperatorPrecedence ( #25002 )
2023-05-16 10:51:59 +02:00
Jeremy Kescher
9eb149477a
Merge remote-tracking branch 'upstream/main' into develop
2023-05-06 00:39:56 +02:00
Nick Schonning
49fad26eca
Drop EOL Ruby 2.7 ( #24237 )
2023-04-27 01:46:18 +02:00
Jeremy Kescher
8de39432a9
Merge remote-tracking branch 'upstream/main' into develop
...
# Conflicts:
# .github/workflows/build-image.yml
# Gemfile.lock
# app/javascript/flavours/glitch/actions/interactions.js
# config/initializers/rack_attack.rb
# config/locales/en_GB.yml
2023-02-17 00:26:21 +01:00
Eugen Rochko
c6ef56fd5e
Change rate limits to 1,500/5m per user, 300/5m per app ( #23347 )
2023-02-02 00:07:49 +01:00
Jeremy Kescher
122870cb6b
Merge remote-tracking branch 'upstream/main' into develop
...
# Conflicts:
# config/initializers/rack_attack.rb
# lib/mastodon/version.rb
2022-11-14 22:18:48 +01:00
Eugen Rochko
21fd25a269
Fix rate limiting for paths with formats ( #20675 )
2022-11-14 20:26:31 +01:00
Jeremy Kescher
92ff7b0e3e
Make deleting / unboosting slightly less strict as well
2022-11-12 14:43:21 +01:00
Jeremy Kescher
a6d7063be9
Make rate limits even less strict
2022-06-12 23:18:03 +02:00
dependabot[bot]
46ad7fea9d
Bump rack-attack from 6.5.0 to 6.6.0 ( #17405 )
...
* Bump rack-attack from 6.5.0 to 6.6.0
Bumps [rack-attack](https://github.com/rack/rack-attack ) from 6.5.0 to 6.6.0.
- [Release notes](https://github.com/rack/rack-attack/releases )
- [Changelog](https://github.com/rack/rack-attack/blob/master/CHANGELOG.md )
- [Commits](https://github.com/rack/rack-attack/compare/v6.5.0...v6.6.0 )
---
updated-dependencies:
- dependency-name: rack-attack
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* Fix usage of deprecated API
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>
2022-03-12 09:23:53 +01:00
Claire
8603a07504
Fix error when trying to register ( #17600 )
2022-02-21 14:55:38 +01:00
zunda
f9e7f2e409
Avoid return within block ( #17590 )
...
This prevents the error: LocalJumpError (unexpected return)
2022-02-18 20:21:21 +01:00
Jeong Arm
1de2e3f980
Throttle IPv6 signup for subnet ( #17588 )
2022-02-18 13:51:51 +01:00
Jeong Arm
ea61d3acd6
Fix media API limit ( #17272 )
2022-01-10 14:25:24 +01:00
Eugen Rochko
ee1119208c
Add POST /api/v1/emails/confirmations
to REST API ( #15816 )
...
Only available to the application the user originally signed-up with
2021-03-01 18:39:47 +01:00
luigi
eb51e43fb4
Optimize some regex matching ( #15528 )
...
* Use Regex#match?
* Replace =~ too
* Avoid to call match? from Nil
* Keep value of Regexp.last_match
2021-01-22 10:09:08 +01:00
Eugen Rochko
5e1364c448
Add IP-based rules ( #14963 )
2020-10-12 16:33:49 +02:00
Eugen Rochko
81a3db1564
Change rate limits for various paths ( #14253 )
...
- Rate limit login attempts by target account
- Rate limit password resets and e-mail re-confirmations by target account
- Rate limit sign-up/login attempts, password resets, and e-mail re-confirmations by IP like before
2020-07-07 15:26:39 +02:00
Eugen Rochko
9241cbf861
Fix re-sending of e-mail confirmation not being rate limited ( #13360 )
...
Fix #13330
2020-03-31 18:20:48 +02:00
Eugen Rochko
339ce1c4e9
Add specific rate limits for posting and following ( #13172 )
2020-03-08 15:17:39 +01:00
Eugen Rochko
09d54d1f62
Fix uncaught query param encoding errors ( #12741 )
2020-01-02 17:14:58 +01:00
Yamagishi Kazutoshi
4e1b742cb2
Change rate limit for media proxy ( #11814 )
2019-09-13 16:02:52 +02:00
Hinaloe
b793722d7d
Fix undefined method error ( #10868 )
2019-05-28 15:31:51 +03:00
mayaeh
afb17b7045
Fix undefined method error. ( #10867 )
2019-05-28 05:42:04 +02:00
ThibG
0e9b8be18a
Improve rate limiting ( #10860 )
...
* Rate limit based on remote address IP, not on potential reverse proxy
* Limit rate of unauthenticated API requests further
* Rate-limit paging requests to one every 3 seconds
2019-05-27 21:57:49 +02:00
Eugen Rochko
0e8819f0e8
Add rate limit for media proxy requests ( #10490 )
...
30 per 30 minutes, like media uploads
2019-04-07 04:26:43 +02:00
Eugen Rochko
99fa1ce93d
Add tight rate-limit for API deletions ( #10042 )
...
Deletions take a lot of resources to execute and cause a lot of
federation traffic, so it makes sense to decrease the number
someone can queue up through the API.
30 per 30 minutes
2019-02-14 06:27:54 +01:00
Eugen Rochko
5d2fc6de32
Add REST API for creating an account ( #9572 )
...
* Add REST API for creating an account
The method is available to apps with a token obtained via the client
credentials grant. It creates a user and account records, as well as
an access token for the app that initiated the request. The user is
unconfirmed, and an e-mail is sent as usual.
The method returns the access token, which the app should save for
later. The REST API is not available to users with unconfirmed
accounts, so the app must be smart to wait for the user to click a
link in their e-mail inbox.
The method is rate-limited by IP to 5 requests per 30 minutes.
* Redirect users back to app from confirmation if they were created with an app
* Add tests
* Return 403 on the method if registrations are not open
* Require agreement param to be true in the API when creating an account
2018-12-24 19:12:38 +01:00
aus-social
0a4739c732
lint pass 2 ( #8878 )
...
* Code quality pass
* Typofix
* Update applications_controller_spec.rb
* Update applications_controller_spec.rb
2018-10-04 17:38:04 +02:00
Akihiko Odaki
a7e71bbd08
Add a missing question mark in rack_attack.rb ( #7338 )
2018-05-03 18:51:00 +02:00
Akihiko Odaki
b1d4471e36
Throttle media post ( #7337 )
...
The previous rate limit allowed to post media so fast that it is possible
to fill up the disk space even before an administrator notices. The new
rate limit is configured so that it takes 24 hours to eat 10 gigabytes:
10 * 1024 / 8 / (24 * 60 / 30) = 27 (which rounded to 30)
The period is set long so that it does not prevent from attaching several
media to one post, which would happen in a short period. For example,
if the period is 5 minutes, the rate limit would be:
10 * 1024 / 8 / (24 * 60 / 5) = 4
This long period allows to lift the limit up.
2018-05-03 17:32:00 +02:00
Eugen Rochko
921b781909
Increase rate limit on protected paths ( #6229 )
...
Previously each protected path had a separate rate limit. Now they're all in the same bucket, so people are more likely to hit one with register->login. Increasing to 25 per 5 minutes should be fine.
2018-01-09 17:07:54 +01:00
Eugen Rochko
feed07227b
Apply a 25x rate limit by IP even to authenticated requests ( #5948 )
2017-12-11 15:32:29 +01:00
Naoki Kosaka
4bce376fdc
Missing require 'authorization_decorator'. ( #5947 )
2017-12-09 15:12:10 +01:00
Eugen Rochko
a865b62efc
Rate limit by user instead of IP when API user is authenticated ( #5923 )
...
* Fix #668 - Rate limit by user instead of IP when API user is authenticated
* Fix code style issue
* Use request decorator provided by Doorkeeper
2017-12-09 14:20:02 +01:00