-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability: No rate limit on reset password link #3214
Labels
Comments
martaribeiro
added
usability
vulnerability
Vulnerability in the code
and removed
usability
labels
Sep 29, 2022
Solution: insert a minimum time in between password resets, e.g. 2 mins. |
@dsisu to investigate whether there is an industry practice on limits to number of password changes |
Going to use Rack-attack gem https://rubygems.org/gems/rack-attack/versions/6.6.1 as suggested by @briri. |
johnpinto1
pushed a commit
that referenced
this issue
Dec 8, 2022
resetting the password. The Rack-Attack middleware for blocking & throttling abusive requests is being used. https://github.com/rack/rack-attack/blob/6-stable/README.md Changes: - Added rack-attack version 6.6.1 gem. https://rubygems.org/gems/rack-attack/versions/6.6.1 - Added config/initializers/rack_attack.rb: - The rack-attack functionality is enabled with Rack::Attack.enabled = true but may be switched off Rack::Attack.enabled = false. - Password reset requests are currently throttled from an ip addr from an ip address for POSTs to path /users/passwords and is limited 2 requests every 30 seconds. ess - Login requests are throttled from an ip address for POSTs to path /users/sign_in and is limited 4 requests every 30 seconds. - A new html page public/429.html with title "Too Many Request" is added.
johnpinto1
pushed a commit
that referenced
this issue
Dec 8, 2022
resetting the password. The Rack-Attack middleware for blocking & throttling abusive requests is being used. https://github.com/rack/rack-attack/blob/6-stable/README.md Changes: - Added rack-attack version 6.6.1 gem. https://rubygems.org/gems/rack-attack/versions/6.6.1 - Added config/initializers/rack_attack.rb: - The rack-attack functionality is enabled with Rack::Attack.enabled = true but may be switched off Rack::Attack.enabled = false. - Password reset requests are currently throttled from from an IP address for POSTs to path /users/passwords and is limited 2 requests every 30 seconds. ess - Login requests are throttled from an IP address for POSTs to path /users/sign_in and is limited 4 requests every 30 seconds. - A new html page public/429.html with title "Too Many Request" is added.
johnpinto1
pushed a commit
that referenced
this issue
Dec 19, 2022
resetting the password. The Rack-Attack middleware for blocking & throttling abusive requests is being used. https://github.com/rack/rack-attack/blob/6-stable/README.md Changes: - Added rack-attack version 6.6.1 gem. https://rubygems.org/gems/rack-attack/versions/6.6.1 - Added config/initializers/rack_attack.rb: - The rack-attack functionality is enabled with Rack::Attack.enabled = true but may be switched off Rack::Attack.enabled = false. - Password reset requests are currently throttled from from an IP address for POSTs to path /users/passwords and is limited 2 requests every 30 seconds. ess - Login requests are throttled from an IP address for POSTs to path /users/sign_in and is limited 4 requests every 30 seconds. - A new html page public/429.html with title "Too Many Request" is added.
johnpinto1
pushed a commit
that referenced
this issue
Dec 19, 2022
resetting the password. The Rack-Attack middleware for blocking & throttling abusive requests is being used. https://github.com/rack/rack-attack/blob/6-stable/README.md Changes: - Added rack-attack version 6.6.1 gem. https://rubygems.org/gems/rack-attack/versions/6.6.1 - Added config/initializers/rack_attack.rb: - The rack-attack functionality is enabled with Rack::Attack.enabled = true but may be switched off Rack::Attack.enabled = false. - Password reset requests are currently throttled from from an IP address for POSTs to path /users/passwords and is limited 2 requests every 30 seconds. ess - Login requests are throttled from an IP address for POSTs to path /users/sign_in and is limited 4 requests every 30 seconds. - A new html page public/429.html with title "Too Many Request" is added.
johnpinto1
pushed a commit
that referenced
this issue
Jan 10, 2023
resetting the password. The Rack-Attack middleware for blocking & throttling abusive requests is being used. https://github.com/rack/rack-attack/blob/6-stable/README.md Changes: - Added rack-attack version 6.6.1 gem. https://rubygems.org/gems/rack-attack/versions/6.6.1 - Added config/initializers/rack_attack.rb: - The rack-attack functionality is enabled with Rack::Attack.enabled = true but may be switched off Rack::Attack.enabled = false. - Password reset requests are currently throttled from from an IP address for POSTs to path /users/passwords and is limited 2 requests every 30 seconds. ess - Login requests are throttled from an IP address for POSTs to path /users/sign_in and is limited 4 requests every 30 seconds. - A new html page public/429.html with title "Too Many Request" is added.
briri
added a commit
that referenced
this issue
Mar 24, 2023
…te_limit_on_reset_password_link Fix for bug #3214 which had noted there was no request rate limit to - WIP
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Please complete the following fields as applicable:
What version of the DMPRoadmap code are you running? (e.g. v2.2.0)
Roadmap V3.1.1
Expected behaviour:
Only send one reset password email within a certain period of time.
Actual behaviour:
DESCRIPTION: A user will get many password reset link in the mailbox and unwanted traffic will be generated in the mailbox
STEPS TO REPRODUCE:
IMPACT: User inbox will generated unwanted password in their mailbox
Steps to reproduce:
Set a number of emails sent in a certain period of time when reseting password
The text was updated successfully, but these errors were encountered: