Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add ability to block ip addresses that are submitting spam #1938 #2495

Closed
wants to merge 25 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
a1b11a8
add ability to block ip addresses that are submitting spam #1938
Sarthak5598 Jul 23, 2024
ed77fa7
Merge branch 'main' into issue_1938
Sarthak5598 Jul 23, 2024
b17fd19
PRE-COMMIT ISSUE DUE TO CONFLICTS
Sarthak5598 Jul 23, 2024
84730df
SQAUSHED MIGRATION
Sarthak5598 Jul 23, 2024
9924a76
added recommended changes
Sarthak5598 Jul 25, 2024
a136844
reemoved print statement
Sarthak5598 Jul 25, 2024
8cece1f
Merge branch 'main' into issue_1938
Sarthak5598 Jul 25, 2024
6e27181
Merge branch 'main' into issue_1938
Sarthak5598 Jul 26, 2024
f8d785a
Removed unused files and code
Sarthak5598 Jul 26, 2024
cb905b5
Merge branch 'issue_1938' of https://github.com/Sarthak5598/BLT into …
Sarthak5598 Jul 26, 2024
6e7ffee
added migration
Sarthak5598 Jul 26, 2024
af389c7
added caching
Sarthak5598 Jul 26, 2024
19d9c7a
changed timeout from 1 hr to 1 day
Sarthak5598 Jul 26, 2024
fe55894
remoced unnecesaary code
Sarthak5598 Jul 26, 2024
db56495
self.ip -> self.address
Sarthak5598 Jul 27, 2024
a17d23d
Merge branch 'main' into issue_1938
DonnieBLT Aug 4, 2024
e39c0f1
Update blt/middleware/ip_restrict.py
DonnieBLT Aug 4, 2024
8e47dd1
Update blt/middleware/ip_restrict.py
DonnieBLT Aug 4, 2024
b432640
made nessecary changes and introduced reason , also blocking on basis…
Sarthak5598 Aug 9, 2024
3c8ede9
Merge branch 'issue_1938' of https://github.com/Sarthak5598/BLT into …
Sarthak5598 Aug 9, 2024
645cefc
Merge branch 'main' into issue_1938
Sarthak5598 Aug 9, 2024
09e4f50
pre-commit
Sarthak5598 Aug 9, 2024
e8a5d88
Merge branch 'main' of https://github.com/Sarthak5598/BLT into issue_…
Sarthak5598 Aug 9, 2024
6d85d82
migration issue solved
Sarthak5598 Aug 9, 2024
2407fff
pre
Sarthak5598 Aug 9, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions blt/middleware/count_ip_requests.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
from django.utils.deprecation import MiddlewareMixin
from user_agents import parse

from website.models import IP


class MonitorIPMiddleware(MiddlewareMixin):
def process_request(self, request):
x_forwarded_for = request.META.get("HTTP_X_FORWARDED_FOR")
if x_forwarded_for:
ip = x_forwarded_for.split(",")[0].strip()
else:
ip = request.META.get("REMOTE_ADDR")

user_agent = request.META.get("HTTP_USER_AGENT", "")
parsed_agent = parse(user_agent)

if ip:
ip_record = IP.objects.filter(address=ip).first()

if ip_record:
ip_record.user_agent_string = parsed_agent
ip_record.count += 1
ip_record.save()
70 changes: 70 additions & 0 deletions blt/middleware/ip_restrict.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
import ipaddress

from django.core.cache import cache
from django.http import HttpResponseForbidden
from user_agents import parse

from website.models import BlockedIP


class IPRestrictMiddleware:
"""
Middleware to restrict access based on client IP addresses.
"""

def __init__(self, get_response):
self.get_response = get_response

def blocked_ips(self):
blocked_ips = cache.get("blocked_ips")
if blocked_ips is None:
blocked_addresses = BlockedIP.objects.values_list("address", flat=True)
blocked_ips = set(blocked_addresses)
cache.set("blocked_ips", blocked_ips, timeout=86400)
return blocked_ips

def blocked_ip_ranges(self):
blocked_ip_ranges = cache.get("blocked_ip_ranges")
if blocked_ip_ranges is None:
blocked_ip_start = BlockedIP.objects.values_list("address_range_start", flat=True)
blocked_ip_end = BlockedIP.objects.values_list("address_range_end", flat=True)
blocked_ip_ranges = list(zip(blocked_ip_start, blocked_ip_end))
cache.set("blocked_ip_ranges", blocked_ip_ranges, timeout=86400)
return blocked_ip_ranges

def ip_in_range(self, ip, ip_ranges):
ip_int = int(ipaddress.IPv4Address(ip))
for start, end in ip_ranges:
start_int = int(ipaddress.IPv4Address(start))
end_int = int(ipaddress.IPv4Address(end))
if start_int <= ip_int <= end_int:
return True
return False

def blocked_agents(self):
blocked_agents = cache.get("blocked_agents")
if blocked_agents is None:
blocked_user_agents = BlockedIP.objects.values_list("user_agent_string", flat=True)
blocked_agents = set(blocked_user_agents)
cache.set("blocked_agents", blocked_agents, timeout=86400)
return blocked_agents

def __call__(self, request):
Sarthak5598 marked this conversation as resolved.
Show resolved Hide resolved
Sarthak5598 marked this conversation as resolved.
Show resolved Hide resolved
ip = request.META.get("REMOTE_ADDR")
user_agent = request.META.get("HTTP_USER_AGENT", "")
parsed_agent = parse(user_agent)

if ip:
if ip in self.blocked_ips():
return HttpResponseForbidden(
"Your IP address is restricted from accessing this site."
)
blocked_ip_ranges = self.blocked_ip_ranges()
if self.ip_in_range(ip, blocked_ip_ranges):
return HttpResponseForbidden(
"Your IP address is restricted from accessing this site."
)
if parsed_agent and parsed_agent in self.blocked_agents():
return HttpResponseForbidden("Your IP address is restricted from accessing this site.")

return self.get_response(request)
4 changes: 3 additions & 1 deletion blt/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,8 @@
"django.middleware.security.SecurityMiddleware",
"whitenoise.middleware.WhiteNoiseMiddleware",
"tz_detect.middleware.TimezoneMiddleware",
"blt.middleware.ip_restrict.IPRestrictMiddleware",
"blt.middleware.count_ip_requests.MonitorIPMiddleware",
)

TESTING = len(sys.argv) > 1 and sys.argv[1] == "test"
Expand Down Expand Up @@ -360,7 +362,7 @@
},
},
}

DEFAULT_FILE_STORAGE = "django.core.files.storage.FileSystemStorage"
USERS_AVATAR_PATH = "avatars"
AVATAR_PATH = os.path.join(MEDIA_ROOT, USERS_AVATAR_PATH)

Expand Down
2 changes: 1 addition & 1 deletion company/static/company/js/hunt_controller.js
Original file line number Diff line number Diff line change
Expand Up @@ -349,4 +349,4 @@ function getCookie(name) {
}
}
return cookieValue;
}
}
53 changes: 53 additions & 0 deletions website/admin.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
from website.models import (
IP,
Bid,
BlockedIP,
ChatBotLog,
Company,
CompanyAdmin,
Expand Down Expand Up @@ -276,9 +277,49 @@ def issue_description(self, obj):
return obj.issue.description


def block_ip(modeladmin, request, queryset):
for ip in queryset:
BlockedIP.objects.create(address=ip.address, count=ip.count)
modeladmin.message_user(request, "Selected IPs have been blocked successfully.")


block_ip.short_description = "Block selected IPs"


def unblock_ip(modeladmin, request, queryset):
for ip in queryset:
BlockedIP.objects.filter(ip=ip.address).delete()
modeladmin.message_user(request, "Selected IPs have ben unblocked successfully")


unblock_ip.short_description = "Unblock selected IPs"


def block_user_agent(modeladmin, request, queryset):
for ip in queryset:
BlockedIP.objects.create(user_agent_string=ip.user_agent_string)

modeladmin.message_user(request, "Selected UserAgent have been blocked successfully.")


block_user_agent.short_description = "Block selected UserAgent"


def unblock_user_agent(modeladmin, request, queryset):
for ip in queryset:
BlockedIP.objects.filter(user_agent_string=ip.user_agent_string).delete()

modeladmin.message_user(request, "Selected UserAgent have been unblocked successfully.")


unblock_user_agent.short_description = "Unblock selected UserAgent"


class IPAdmin(admin.ModelAdmin):
list_display = ("id", "address", "user", "issuenumber", "created", "agent", "path")

actions = [block_ip, unblock_ip, block_user_agent, unblock_user_agent]


class MonitorAdmin(admin.ModelAdmin):
list_display = (
Expand All @@ -305,6 +346,17 @@ class SuggestionVotesAdmin(admin.ModelAdmin):
list_display = ("user", "suggestion", "up_vote", "down_vote")


class BlockedIPAdmin(admin.ModelAdmin):
list_display = (
"address",
"reason_for_block",
"address_range_start",
"address_range_end",
"user_agent_string",
"count",
)


class ProjectAdmin(admin.ModelAdmin):
list_display = (
"id",
Expand Down Expand Up @@ -338,6 +390,7 @@ class ProjectAdmin(admin.ModelAdmin):
admin.site.register(IssueScreenshot, IssueScreenshotAdmin)
admin.site.register(HuntPrize)
admin.site.register(ChatBotLog, ChatBotLogAdmin)
admin.site.register(BlockedIP, BlockedIPAdmin)
admin.site.register(Suggestion, SuggestionAdmin)
admin.site.register(SuggestionVotes, SuggestionVotesAdmin)

Expand Down
2 changes: 1 addition & 1 deletion website/documents/BltAboutUs.md
Original file line number Diff line number Diff line change
Expand Up @@ -73,4 +73,4 @@ Organizations
We want everyone to love your website.
You want to keep your customers happy by giving them a consistent bug-free user experience. BLT offers monthly Bug Bounties through 4 different subscription plans to help you achieve this.

BLT is 100% free to use, Open Source and a non-commercial, not for profit initiative.
BLT is 100% free to use, Open Source and a non-commercial, not for profit initiative.
2 changes: 1 addition & 1 deletion website/documents/BltBLTV.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,4 +40,4 @@ The component is designed with several features to enhance performance and user
- **Optimized Loading**: The page is optimized to load quickly, allowing users to browse and play videos without delay.
- **Responsive Design**: The layout is fully responsive, adapting to different screen sizes and devices to ensure a consistent and accessible experience across desktops, tablets, and mobile devices.
- **Lazy Loading**: Video thumbnails and other media elements are loaded as needed, reducing initial load times and improving overall performance.
- **Efficient Data Retrieval**: Uses efficient data retrieval techniques to fetch and display video tutorials quickly, minimizing wait times and enhancing user satisfaction.
- **Efficient Data Retrieval**: Uses efficient data retrieval techniques to fetch and display video tutorials quickly, minimizing wait times and enhancing user satisfaction.
2 changes: 1 addition & 1 deletion website/documents/BltChangePassword.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,4 +41,4 @@ The layout is simple and focused, ensuring users can easily update their passwor
- **Minimal Distractions**: The focused design ensures users can complete the task quickly without unnecessary distractions or elements.

#### URL Mention
This detailed information pertains to the "Change Password" page of the BugLog tool, accessible at: [https://blt.owasp.org/accounts/password/change/](https://blt.owasp.org/accounts/password/change/).
This detailed information pertains to the "Change Password" page of the BugLog tool, accessible at: [https://blt.owasp.org/accounts/password/change/](https://blt.owasp.org/accounts/password/change/).
2 changes: 1 addition & 1 deletion website/documents/BltCommunityMembers.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,4 +39,4 @@ The component is designed with several features to enhance performance and user
- **Optimized Loading**: The page is optimized to load quickly, allowing users to browse member profiles without delay.
- **Responsive Design**: The layout is fully responsive, adapting to different screen sizes and devices to ensure a consistent and accessible experience across desktops, tablets, and mobile devices.
- **Lazy Loading**: Member photos and other media elements are loaded as needed, reducing initial load times and improving overall performance.
- **Efficient Data Retrieval**: Uses efficient data retrieval techniques to fetch and display member profiles quickly, minimizing wait times and enhancing user satisfaction.
- **Efficient Data Retrieval**: Uses efficient data retrieval techniques to fetch and display member profiles quickly, minimizing wait times and enhancing user satisfaction.
2 changes: 1 addition & 1 deletion website/documents/BltCompanyDashboard.md
Original file line number Diff line number Diff line change
Expand Up @@ -42,4 +42,4 @@ The dashboard is designed with several features to enhance performance and user
- **Optimized Loading**: The page is optimized to load quickly, with asynchronous loading of non-critical elements to ensure that users can start interacting with the content without delay.
- **Responsive Design**: The layout is fully responsive, adapting to different screen sizes and devices, ensuring a consistent and accessible experience across desktops, tablets, and mobile devices.
- **Lazy Loading**: Bug report items and other media elements are loaded as needed, reducing initial load times and improving overall performance.
- **Efficient Data Retrieval**: The page uses efficient data retrieval techniques to fetch and display bug reports quickly, minimizing wait times and enhancing user satisfaction.
- **Efficient Data Retrieval**: The page uses efficient data retrieval techniques to fetch and display bug reports quickly, minimizing wait times and enhancing user satisfaction.
2 changes: 1 addition & 1 deletion website/documents/BltCompanyListingPage.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,4 +39,4 @@ The page is designed with several features to enhance performance and user exper
- **Optimized Loading**: The page is optimized to load quickly, with asynchronous loading of non-critical elements to ensure that users can start interacting with the content without delay.
- **Responsive Design**: The layout is fully responsive, adapting to different screen sizes and devices, ensuring a consistent and accessible experience across desktops, tablets, and mobile devices.
- **Lazy Loading**: Company logos and other media elements are loaded as needed, reducing initial load times and improving overall performance.
- **Efficient Data Retrieval**: The page uses efficient data retrieval techniques to fetch and display company details quickly, minimizing wait times and enhancing user satisfaction.
- **Efficient Data Retrieval**: The page uses efficient data retrieval techniques to fetch and display company details quickly, minimizing wait times and enhancing user satisfaction.
2 changes: 1 addition & 1 deletion website/documents/BltCompanyScoreboard.md
Original file line number Diff line number Diff line change
Expand Up @@ -42,4 +42,4 @@ The scoreboard is designed with several features to enhance performance and user
- **Optimized Loading**: The page is optimized to load quickly, with asynchronous loading of non-critical elements to ensure that users can start interacting with the content without delay.
- **Responsive Design**: The layout is fully responsive, adapting to different screen sizes and devices, ensuring a consistent and accessible experience across desktops, tablets, and mobile devices.
- **Lazy Loading**: Company logos and other media elements are loaded as needed, reducing initial load times and improving overall performance.
- **Efficient Data Retrieval**: The page uses efficient data retrieval techniques to fetch and display company metrics quickly, minimizing wait times and enhancing user satisfaction.
- **Efficient Data Retrieval**: The page uses efficient data retrieval techniques to fetch and display company metrics quickly, minimizing wait times and enhancing user satisfaction.
2 changes: 1 addition & 1 deletion website/documents/BltDetails.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,4 +25,4 @@ Anyone interested in contributing to the OWASP BLT project can:
- **Participate in Bug Hunts**: Join company-sponsored bug hunts to earn rewards.
- **Contribute to Development**: Follow the contribution guidelines available on the OWASP website to get started with development and enhancement of BLT.

BLT means Bug Logging Tool project from OWASP foundation .
BLT means Bug Logging Tool project from OWASP foundation .
2 changes: 1 addition & 1 deletion website/documents/BltDetailsFromOwasp.md
Original file line number Diff line number Diff line change
Expand Up @@ -429,4 +429,4 @@ Corporate Supporters

G@ surerowr Bloomberg’
Fa CUARDSQUARE BIONIC
4:SailPoint root
4:SailPoint root
2 changes: 1 addition & 1 deletion website/documents/BltGlobalLeaderboard.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,4 +40,4 @@ The leaderboard is designed with several features to enhance performance and use
- **Optimized Loading**: The page is optimized to load quickly, with asynchronous loading of non-critical elements to ensure that users can start interacting with the content without delay.
- **Responsive Design**: The layout is fully responsive, adapting to different screen sizes and devices, ensuring a consistent and accessible experience across desktops, tablets, and mobile devices.
- **Lazy Loading**: User avatars and other media elements are loaded as needed, reducing initial load times and improving overall performance.
- **Efficient Data Retrieval**: The page uses efficient data retrieval techniques to fetch and display user rankings quickly, minimizing wait times and enhancing user satisfaction.
- **Efficient Data Retrieval**: The page uses efficient data retrieval techniques to fetch and display user rankings quickly, minimizing wait times and enhancing user satisfaction.
2 changes: 1 addition & 1 deletion website/documents/BltInvite.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,4 +34,4 @@ Users interact with this component by entering an email address in the provided
### Detailed Information for Chatbot
To ensure the chatbot can assist users effectively, include details such as the URL of the invite page (https://blt.owasp.org/invite/) and descriptions of the error messages users might encounter. The chatbot should be able to guide users through the process of entering an email address and clicking the "Invite" button, as well as troubleshooting common issues like invalid email formats or server errors.

By understanding these detailed aspects of the invite page UI component, the chatbot can provide comprehensive assistance, ensuring users can easily invite others to the BugLog tool application.
By understanding these detailed aspects of the invite page UI component, the chatbot can provide comprehensive assistance, ensuring users can easily invite others to the BugLog tool application.
2 changes: 1 addition & 1 deletion website/documents/BltLoginPage.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,4 +44,4 @@ The Login Page has robust error handling mechanisms to ensure that users provide
Several features of the Login Page enhance performance and user experience:
- **Optimized Loading**: The page is designed to load quickly, ensuring that users can start entering their credentials without waiting for all elements to load.
- **Responsive Design**: The form is fully responsive, adapting to different screen sizes and devices. This ensures that users can easily log in on desktops, tablets, and mobile devices.
- **Form Persistence**: If users accidentally navigate away from the page, their entered credentials are temporarily saved, preventing data loss and enhancing the user experience by reducing the need to re-enter information.
- **Form Persistence**: If users accidentally navigate away from the page, their entered credentials are temporarily saved, preventing data loss and enhancing the user experience by reducing the need to re-enter information.
2 changes: 1 addition & 1 deletion website/documents/BltSignUpPage.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,4 +41,4 @@ The Sign Up Page includes robust error handling mechanisms to ensure that users
Several features of the Sign Up Page enhance performance and user experience:
- **Optimized Loading**: The page is designed to load quickly, allowing users to start entering their information without waiting for all elements to load.
- **Responsive Design**: The form is fully responsive, adapting to different screen sizes and devices. This ensures that users can easily register on desktops, tablets, and mobile devices.
- **Form Persistence**: If users accidentally navigate away from the page, their entered information is temporarily saved, preventing data loss and enhancing the user experience by reducing the need to re-enter information.
- **Form Persistence**: If users accidentally navigate away from the page, their entered information is temporarily saved, preventing data loss and enhancing the user experience by reducing the need to re-enter information.
2 changes: 1 addition & 1 deletion website/documents/BltStartaBughunt.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,4 +43,4 @@ Users interact with this component by filling out a form to start a new bug hunt
- **Responsive Design**: The form is designed to be responsive, ensuring it works well on various devices, including desktops, tablets, and smartphones.
- **Fast Load Time**: The component is optimized for fast load times, ensuring a smooth user experience even on slower internet connections.
- **Client-Side Validation**: Basic form validation is performed on the client side, reducing the need for server round trips and enhancing performance.
- **Efficient File Upload**: The file upload mechanism is efficient, allowing users to drag and drop files or click to upload, with progress indicators for larger files.
- **Efficient File Upload**: The file upload mechanism is efficient, allowing users to drag and drop files or click to upload, with progress indicators for larger files.
2 changes: 1 addition & 1 deletion website/documents/BltStats.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,4 +43,4 @@ The component is designed with several features to enhance performance and user
- **Optimized Loading**: The page is optimized to load quickly, allowing users to access the statistics without delay.
- **Responsive Design**: The layout is fully responsive, adapting to different screen sizes and devices to ensure a consistent and accessible experience across desktops, tablets, and mobile devices.
- **Efficient Data Retrieval**: Uses efficient data retrieval techniques to fetch and display statistics quickly, minimizing wait times and enhancing user satisfaction.
- **Scalability**: The component is designed to handle a large amount of statistical data, maintaining performance and user experience even with extensive content.
- **Scalability**: The component is designed to handle a large amount of statistical data, maintaining performance and user experience even with extensive content.
2 changes: 1 addition & 1 deletion website/documents/BltTerms.md
Original file line number Diff line number Diff line change
Expand Up @@ -91,4 +91,4 @@ You expressly understand and agree that BLT shall not be liable for any direct,

The failure of BLT to exercise or enforce any right or provision of the Terms of Service shall not constitute a waiver of such right or provision. The Terms of Service constitutes the entire agreement between you and BLT and govern your use of the Service, superseding any prior agreements between you and BLT (including, but not limited to, any prior versions of the Terms of Service). You agree that these Terms of Service and Your use of the Service are governed under California law.

Questions about the Terms of Service should be sent to blt-support@owasp.org.
Questions about the Terms of Service should be sent to blt-support@owasp.org.
Loading
Loading