Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CORS Proxy] Rate-limits IPv6 requests based on /64 subnets, not specific addresses #1923

Merged
merged 5 commits into from
Oct 23, 2024
Merged

[CORS Proxy] Rate-limits IPv6 requests based on /64 subnets, not specific addresses #1923

merged 5 commits into from
Oct 23, 2024

Conversation

adamziel
Copy link
Collaborator

@adamziel adamziel commented Oct 17, 2024
edited
Loading

Rate-limits the CORS proxy requests based on the first 64 bits of an IPv6 address, not all 128 bits. This prevents a person with an entire /64 subnet from exhausting the storage or getting more than their fair share of the tokens. This only applies to IPv6. For IPv4 addresses, all 64 bits are still considered.

Implementation

Converts a string-based IP address into a binary string, then zeros the first 64 bits in that string and re-encodes it as a human-readable IP string.

Testing instructions

  • Deploy and attack the proxy :-)
  • Run the unit tests
php ./packages/playground/website-deployment/tests.php

cc @brandonpayton for reviews

@adamziel
[CORS Proxy] Rate-limit entire /64 subnets instead of specific addres…
d01ea6f 
…ses.

This prevents a person with an entire /64 subnet from
exhausting the storage or getting more than their fair
share of the tokens.

 ## Implementation

Converts a string-based IP address into a binary string,
then zeros the first 64 bits in that string and re-encodes
it as a human-readable IP string.

 ## Testing instructions

Run unit tests

```php
php ./packages/playground/website-deployment/tests.php
```

cc @brandonpayton for reviews
@adamziel adamziel added the [Type] Enhancement New feature or request label Oct 17, 2024
@adamziel adamziel changed the title [CORS Proxy] Rate-limit entire /64 subnets instead of specific addresses [CORS Proxy] Rate-limits based on the /64 IPv6 subnet, not specific addresses Oct 17, 2024
@adamziel adamziel changed the title [CORS Proxy] Rate-limits based on the /64 IPv6 subnet, not specific addresses [CORS Proxy] Rate-limits IPv6 requests based on /64 subnets, not specific addresses Oct 17, 2024
brandonpayton
brandonpayton approved these changes Oct 23, 2024
View reviewed changes
Copy link
Member

@brandonpayton brandonpayton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made a few very small changes. The code looks good to me. I tested this locally with the IPv6 loopback address but not with another IPv6 block. The database entry in the rate-limiting table looked fine.

This should be good enough for now. Please feel free to merge and deploy this. I'm waiting because it is late here, and I don't want to deploy something without being around to revert if needed.

@brandonpayton
Copy link
Member

Thank you, @adamziel!

@brandonpayton brandonpayton merged commit aca298e into trunk Oct 23, 2024
9 checks passed
@brandonpayton brandonpayton deleted the group-ips-for-rate-limiting branch October 23, 2024 15:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brandonpayton brandonpayton brandonpayton approved these changes

Assignees
No one assigned
Labels
[Type] Enhancement New feature or request
Projects
Playground Board
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@adamziel @brandonpayton