Merge pull request #3261 from DMPRoadmap/bug-3214-vulnerability_no_rate_limit_on_reset_password_link

briri · web-flow · commit 5ac38d3ff929 · 2023-03-24T09:12:41.000-07:00
Fix for bug #3214 which had noted there was no request rate limit to - WIP
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -43,6 +43,11 @@ With the removal of the webpacker gem, the DartSass package has been installed t
 - Sass variables are no longer declared globally and have to be included in files where they are used.
 For more detailed explanation, please refer to this video : https://www.youtube.com/watch?v=CR-a8upNjJ0
 
+### Introduction of RackAttack
+[Rack Attack](https://github.com/rack/rack-attack) is middleware that can be used to help protect the application from malicious activity. You can establish white/black lists for specific IP addresses and also define rate limits.
+
+- Using Rack-attack address vulnerabilities pointed out in password reset and login: there was no request rate limit.[#3214](https://github.com/DMPRoadmap/roadmap/issues/3214)
+
 ### Cleanup of Capybara configuration
 - Cleaned up Gemfile by:
   - removing gems that were already commented out
@@ -71,8 +76,9 @@ For more detailed explanation, please refer to this video : https://www.youtube.
 - Added validation with custom error message in research_output.rb to ensure a user does not enter a very large value as 'Anticipated file size'. [#3161](https://github.com/DMPRoadmap/roadmap/issues/3161)
 - Added popover for org profile page and added explanation for public plan
 
-### Fixed
+ - Added rack-attack version 6.6.1 gem. https://rubygems.org/gems/rack-attack/versions/6.6.1
 
+### Fixed
 - Fixed an issue that was preventing uses from leaving the research output byte_size field blank
 - Patched issue that was causing template visibility to default to organizationally visible after saving
 - Froze mail gem version [#3254](https://github.com/DMPRoadmap/roadmap/issues/3254)
diff --git a/Gemfile b/Gemfile
@@ -108,6 +108,9 @@ gem 'jwt'
 # OO authorization for Rails (https://github.com/elabs/pundit)
 gem 'pundit'
 
+# Gem for throttling malicious attacks
+gem 'rack-attack', '~> 6.6', '>= 6.6.1'
+
 # ========== #
 # UI / VIEWS #
 # ========== #
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -350,6 +350,8 @@ GEM
       rspec-rails (>= 3.0.0)
     racc (1.6.2)
     rack (2.2.6.4)
+    rack-attack (6.6.1)
+      rack (>= 1.0, < 3)
     rack-mini-profiler (3.0.0)
       rack (>= 1.2.0)
     rack-protection (3.0.5)
@@ -574,6 +576,7 @@ DEPENDENCIES
   puma
   pundit
   pundit-matchers
+  rack-attack (~> 6.6, >= 6.6.1)
   rack-mini-profiler
   rails (~> 6.1)
   rails-controller-testing
diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+# NB: `req` is a Rack::Request object (basically an env hash with friendly accessor methods)
+
+# Enable/disable Rack::Attack
+Rack::Attack.enabled = true
+
+# Cache store required to work.
+Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new # defaults to Rails.cache
+
+# Throttle should send a 429 Error responsec code and display public/429.html
+Rack::Attack.throttled_responder = lambda do |_env|
+  html = ActionView::Base.empty.render(file: 'public/429.html')
+  [429, { 'Content-Type' => 'text/html' }, [html]]
+end
+
+# Throttle attempts to a particular path. 2 POSTs to /users/password every 30 seconds
+Rack::Attack.throttle "password_resets/ip", limit: 2, period: 30.seconds do |req|
+  req.post? && req.path == "/users/password" && req.ip
+end
+
+# Throttle attempts to a particular path. 4 POSTs to /users/sign_in every 30 seconds
+Rack::Attack.throttle "logins/ip", limit: 4, period: 30.seconds do |req|
+  req.post? && req.path == "/users/sign_in" && req.ip
+end
diff --git a/public/429.html b/public/429.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>We're sorry, but something went wrong (500)</title>
+  <style type="text/css">
+    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: 4em auto 0 auto;
+      border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/429.html -->
+  <div class="dialog">
+    <h1>Too Many Requests</h1>
+
+    <p>You have exceeded the number of requests for this resource. For security reasons access is limited to a fixed number in a given period. Retry later.</p>
+
+
+  </div>
+</body>
+</html>
