import/export: always rate limit import and exports

This is a departure from previous versions, which did not limit import/export
requests. Now such requests are ALWAYS rate limited. The default is 10 requests
per IP each 90 seconds, and also applies to old instances upgraded to 1.8.3.

Administrators can tune the parameters via settings.importExportRateLimiting.
This commit is contained in:
John McLear 2020-04-04 20:39:33 +00:00 committed by muxator
parent 24ee37a38f
commit c9d55c81a3
6 changed files with 67 additions and 0 deletions

View file

@ -408,6 +408,23 @@
"indentationOnNewLine": false, "indentationOnNewLine": false,
*/ */
/*
* From Etherpad 1.8.3 onwards, import and export of pads is always rate
* limited.
*
* The default is to allow at most 10 requests per IP in a 90 seconds window.
* After that the import/export request is rejected.
*
* See https://github.com/nfriedly/express-rate-limit for more options
*/
"importExportRateLimiting": {
// duration of the rate limit window (milliseconds)
"windowMs": 90000,
// maximum number of requests per IP to allow during the rate limit window
"max": 10
},
/* /*
* From Etherpad 1.8.3 onwards, the maximum allowed size for a single imported * From Etherpad 1.8.3 onwards, the maximum allowed size for a single imported
* file is always bounded. * file is always bounded.

View file

@ -413,6 +413,23 @@
"indentationOnNewLine": false, "indentationOnNewLine": false,
*/ */
/*
* From Etherpad 1.8.3 onwards, import and export of pads is always rate
* limited.
*
* The default is to allow at most 10 requests per IP in a 90 seconds window.
* After that the import/export request is rejected.
*
* See https://github.com/nfriedly/express-rate-limit for more options
*/
"importExportRateLimiting": {
// duration of the rate limit window (milliseconds)
"windowMs": 90000,
// maximum number of requests per IP to allow during the rate limit window
"max": 10
},
/* /*
* From Etherpad 1.8.3 onwards, the maximum allowed size for a single imported * From Etherpad 1.8.3 onwards, the maximum allowed size for a single imported
* file is always bounded. * file is always bounded.

View file

@ -4,10 +4,19 @@ var exportHandler = require('../../handler/ExportHandler');
var importHandler = require('../../handler/ImportHandler'); var importHandler = require('../../handler/ImportHandler');
var padManager = require("../../db/PadManager"); var padManager = require("../../db/PadManager");
var authorManager = require("../../db/AuthorManager"); var authorManager = require("../../db/AuthorManager");
const rateLimit = require("express-rate-limit");
settings.importExportRateLimiting.onLimitReached = function(req, res, options) {
// when the rate limiter triggers, write a warning in the logs
console.warn(`Import/Export rate limiter triggered on "${req.originalUrl}" for IP address ${req.ip}`);
}
var limiter = rateLimit(settings.importExportRateLimiting);
exports.expressCreateServer = function (hook_name, args, cb) { exports.expressCreateServer = function (hook_name, args, cb) {
// handle export requests // handle export requests
args.app.use('/p/:pad/:rev?/export/:type', limiter);
args.app.get('/p/:pad/:rev?/export/:type', async function(req, res, next) { args.app.get('/p/:pad/:rev?/export/:type', async function(req, res, next) {
var types = ["pdf", "doc", "txt", "html", "odt", "etherpad"]; var types = ["pdf", "doc", "txt", "html", "odt", "etherpad"];
//send a 404 if we don't support this filetype //send a 404 if we don't support this filetype
@ -40,6 +49,7 @@ exports.expressCreateServer = function (hook_name, args, cb) {
}); });
// handle import requests // handle import requests
args.app.use('/p/:pad/import', limiter);
args.app.post('/p/:pad/import', async function(req, res, next) { args.app.post('/p/:pad/import', async function(req, res, next) {
if (await hasPadAccess(req, res)) { if (await hasPadAccess(req, res)) {
let exists = await padManager.doesPadExists(req.params.pad); let exists = await padManager.doesPadExists(req.params.pad);

View file

@ -305,6 +305,23 @@ exports.scrollWhenFocusLineIsOutOfViewport = {
*/ */
exports.exposeVersion = false; exports.exposeVersion = false;
/*
* From Etherpad 1.8.3 onwards, import and export of pads is always rate
* limited.
*
* The default is to allow at most 10 requests per IP in a 90 seconds window.
* After that the import/export request is rejected.
*
* See https://github.com/nfriedly/express-rate-limit for more options
*/
exports.importExportRateLimiting = {
// duration of the rate limit window (milliseconds)
"windowMs": 90000,
// maximum number of requests per IP to allow during the rate limit window
"max": 10
};
/* /*
* From Etherpad 1.8.3 onwards, the maximum allowed size for a single imported * From Etherpad 1.8.3 onwards, the maximum allowed size for a single imported
* file is always bounded. * file is always bounded.

5
src/package-lock.json generated
View file

@ -1633,6 +1633,11 @@
} }
} }
}, },
"express-rate-limit": {
"version": "5.1.1",
"resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-5.1.1.tgz",
"integrity": "sha512-puA1zcCx/quwWUOU6pT6daCt6t7SweD9wKChKhb+KSgFMKRwS81C224hiSAUANw/gnSHiwEhgozM/2ezEBZPeA=="
},
"express-session": { "express-session": {
"version": "1.17.0", "version": "1.17.0",
"resolved": "https://registry.npmjs.org/express-session/-/express-session-1.17.0.tgz", "resolved": "https://registry.npmjs.org/express-session/-/express-session-1.17.0.tgz",

View file

@ -40,6 +40,7 @@
"etherpad-require-kernel": "1.0.9", "etherpad-require-kernel": "1.0.9",
"etherpad-yajsml": "0.0.2", "etherpad-yajsml": "0.0.2",
"express": "4.17.1", "express": "4.17.1",
"express-rate-limit": "5.1.1",
"express-session": "1.17.0", "express-session": "1.17.0",
"find-root": "1.1.0", "find-root": "1.1.0",
"formidable": "1.2.1", "formidable": "1.2.1",