-
Notifications
You must be signed in to change notification settings - Fork 595
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: Rate limit protection against rapid resets (#4324)
- Loading branch information
1 parent
ece6aa9
commit ebd0599
Showing
6 changed files
with
131 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
66 changes: 66 additions & 0 deletions
66
akka-http-core/src/main/scala/akka/http/impl/engine/http2/framing/RSTFrameLimit.scala
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
/* | ||
* Copyright (C) 2023 Lightbend Inc. <https://www.lightbend.com> | ||
*/ | ||
|
||
package akka.http.impl.engine.http2.framing | ||
|
||
import akka.annotation.InternalApi | ||
import akka.http.impl.engine.http2.{ FrameEvent, Http2Compliance } | ||
import akka.http.impl.engine.http2.FrameEvent.RstStreamFrame | ||
import akka.http.impl.engine.http2.Http2Protocol.ErrorCode | ||
import akka.http.scaladsl.settings.Http2ServerSettings | ||
import akka.stream.{ Attributes, FlowShape, Inlet, Outlet } | ||
import akka.stream.stage.{ GraphStage, GraphStageLogic, InHandler, OutHandler } | ||
|
||
/** | ||
* INTERNAL API | ||
*/ | ||
@InternalApi | ||
private[akka] final class RSTFrameLimit(http2ServerSettings: Http2ServerSettings) extends GraphStage[FlowShape[FrameEvent, FrameEvent]] { | ||
|
||
private val maxResets = http2ServerSettings.maxResets | ||
private val maxResetsIntervalNanos = http2ServerSettings.maxResetsInterval.toNanos | ||
|
||
val in = Inlet[FrameEvent]("in") | ||
val out = Outlet[FrameEvent]("out") | ||
val shape = FlowShape(in, out) | ||
|
||
override def createLogic(inheritedAttributes: Attributes): GraphStageLogic = new GraphStageLogic(shape) with InHandler with OutHandler { | ||
private var rstSeen = false | ||
private var rstCount = 0 | ||
private var rstSpanStartNanos = 0L | ||
|
||
setHandlers(in, out, this) | ||
|
||
override def onPush(): Unit = { | ||
grab(in) match { | ||
case frame: RstStreamFrame => | ||
rstCount += 1 | ||
val now = System.nanoTime() | ||
if (!rstSeen) { | ||
rstSeen = true | ||
rstSpanStartNanos = now | ||
push(out, frame) | ||
} else if ((now - rstSpanStartNanos) <= maxResetsIntervalNanos) { | ||
if (rstCount > maxResets) { | ||
failStage(new Http2Compliance.Http2ProtocolException( | ||
ErrorCode.ENHANCE_YOUR_CALM, | ||
s"Too many RST frames per second for this connection. (Configured limit ${maxResets}/${http2ServerSettings.maxResetsInterval.toCoarsest})")) | ||
} else { | ||
push(out, frame) | ||
} | ||
} else { | ||
// outside time window, reset counter | ||
rstCount = 1 | ||
rstSpanStartNanos = now | ||
push(out, frame) | ||
} | ||
|
||
case frame => | ||
push(out, frame) | ||
} | ||
} | ||
|
||
override def onPull(): Unit = pull(in) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters