Does not work with debugtoolbar #336

jdimmerman · 2022-04-20T17:22:10Z

The latest version does not work with flask_debugtoolbar due to pallets-eco/flask-debugtoolbar#177.

In particular, in manager.py:

def blueprint_limits(self, app: flask.Flask, blueprint: str) -> List[Limit]:
        limits: List[Limit] = []

        blueprint_name = app.blueprints[blueprint].name if blueprint else None

app.blueprints[blueprint] will throw an KeyError if the blueprint name of the request doesn't exist in the set of blueprints for the app.

Of course debugtoolbar should fix their issue, but ideally this codebase would have protection. Something like (I would need to test this)

blueprint_name = app.blueprints[blueprint].name if blueprint and blueprint in app.blueprints else None

The text was updated successfully, but these errors were encountered:

alisaifee · 2022-04-20T21:43:41Z

Thanks for the report and apologies for the regression. Looks like there's a few weird issues here:

current_request.blueprint is pretty naive and simply splits the endpoint by . and returns the first part. I had not expected that so using request.blueprint as a strong indicator that the current request is indeed coming from a blueprint should be fixed (in flask-limiter).
The actual rule in debug toolbar that caused the error is actually a static route which technically should have been exempt from rate limits - but the exemption code naively only checks for endpoint == "static". This has been there for ever - but I think it should probably be endpoint.split(".")[-1] == "static"

I'll do a patch release for 2.3 since master has some other stuff which I want to do a minor version bump for.

request.blueprint can be populated even when an endpoint is not actually part of a blueprint. This is because request.blueprint is simply -> endpoint.split(".")[0] which means endpoints added manually with add_url_rule can hijack an existing blueprint or pretend to be a blueprint. Addresses #336

alisaifee · 2022-04-21T00:11:20Z

This is resolved in 2.3.3

jdimmerman · 2022-04-21T23:17:20Z

Wow you are fast. Thanks @alisaifee!

v3.5.0 ------ Release Date: 2023-08-30 * Feature * Add `meta_limits` to allow for creating upper limits for requesting clients to breach application rate limits. * Bug fix * Ensure on breach callbacks can be configured using flask config v3.4.1 ------ Release Date: 2023-08-26 * Bug fix - Ensure _version.py has stable content when generated using `git archive` from a tag regardless of when it is run. v3.4.0 ------ Release Date: 2023-08-22 * Feature * Add extended configuration for application limits * `application_limits_exempt_when` * `application_limits_deduct_when` * `application_limits_per_method` * Bug fix * Ensure blueprint static routes are exempt v3.3.1 ------ Release Date: 2023-05-03 * Chores * Improve default limits documentation * Update documentation dependencies * Fix typing compatibility errors in headers v3.3.0 ------ Release Date: 2023-02-26 * Bug Fix * Ensure per route limits are preferred (over application limits) when populating rate limiting headers in the case where no rate limit has been breached in the request. v3.2.0 ------ Release Date: 2023-02-15 * Feature * Allow configuring request identity * Chores * Improve linting with ruff * Update development dependencies v3.1.0 ------ Release Date: 2022-12-29 * Feature * Skip logging an error if a decorated limit uses a callable to return the "current" rate limit and returns an empty string. Treat this is a signal that the rate limit should be skipped for this request. v3.0.0 ------ Release Date: 2022-12-28 * Breaking changes * Change order of extension constructor arguments to only require ``key_func`` as the first positional argument and all other arguments as keyword arguments. * Separate positional/keyword arguments in limit/shared_limit decorators * Remove deprecated config variable RATELIMIT_STORAGE_URL * Remove legacy backward compatibility path for flask < 2 * Features * Allow scoping regular limit decorators / context managers v3.0.0b2 -------- Release Date: 2022-12-28 * Breaking changes * Remove deprecated config variable RATELIMIT_STORAGE_URL * Remove legacy backward compatibility path for flask < 2 * Enforce key_func as a required argument * Chores * Simplify registration of decorated function & blueprint limits v3.0.0b1 -------- Release Date: 2022-12-26 * Breaking changes * Change order of extension constructor arguments to only require ``key_func`` as the first positional argument and all other arguments as keyword arguments. * Separate positional/keyword arguments in limit/shared_limit decorators * Features * Allow scoping regular limit decorators / context managers v2.9.2 ------ Release Date: 2022-12-26 * Feature * Extend customization by http method to shared_limit decorator v2.9.1 ------ Release Date: 2022-12-26 * Chores * Update documentation quick start * Refresh documentation for class based views v2.9.0 ------ Release Date: 2022-12-24 * Features * Allow using `limit` & `shared_limit` decorators on pure functions that are not decorated as routes. The functions when called from within a request context will get rate limited. * Allow using `limit` as a context manager to rate limit a code block explicitly within a request * Chores * Updated development dependencies * Fix error running tests depending on docker locally * Update internals to use dataclasses v2.8.1 ------ Release Date: 2022-11-15 * Chores * Add sponsorship banner to rtd * Update documentation dependencies v2.8.0 ------ Release Date: 2022-11-13 * Breaking changes * Any exception raised when calling an ``on_breach`` callback will be re-raised instead of being absorbed unless ``swallow_errors`` is set. In the case of ``swallow_errors`` the exception will now be logged at ``ERROR`` level instead of ``WARN`` * Reduce log level of rate limit exceeded log messages to ``INFO`` v2.7.0 ------ Release Date: 2022-10-25 * Bug Fix * Add default value for RateLimitExceeded optional parameter * Fix suppression of errors when using conditional deduction (`Issue 363 <https://github.com/alisaifee/flask-limiter/issues/363>`_) v2.6.3 ------ Release Date: 2022-09-22 * Compatibility * Ensure typing_extensions dependency has a minimum version * Chores * Documentation tweaks * Update CI to use 3.11 rc2 v2.6.2 ------ Release Date: 2022-08-24 * Chores * Improve quick start documentation v2.6.1 ------ Release Date: 2022-08-23 * Usability * Emit warning when in memory storage is used as a default when no storage uri is provided v2.6.0 ------ Release Date: 2022-08-11 * Feature * Expand use of ``on_breach`` callback to return a ``Response`` object that will be used as the error response on rate limits being exceeded v2.5.1 ------ Release Date: 2022-08-05 * Compatibility * Migrate use of `flask._request_ctx_stack` to `flask.globals.request_ctx` to support Flask 2.2+ * Chores * Expand CI matrix to test against Flask 2.0,2.1 & 2.2 * Make tests compatible with Flask 2.2.+ v2.5.0 ------ Release Date: 2022-07-07 * Features * Ensure multiple extension instances registered on a single application exercise before/after request hooks * Chores * Improve documentation v2.4.6 ------ Release Date: 2022-06-06 * Chore * Add python 3.11 to CI matrix v2.4.5.1 -------- Release Date: 2022-04-22 * Chore * Automate github releases v2.4.5 ------ Release Date: 2022-04-21 * Chore * Automate github releases v2.4.4 ------ Release Date: 2022-04-21 * Chore * Automate github releases v2.4.3 ------ Release Date: 2022-04-21 * Chore * Second attempt to generate release notes v2.4.2 ------ Release Date: 2022-04-21 * Chore * Test for automating github release notes v2.4.1 ------ Release Date: 2022-04-21 * Chore * Automate github releases v2.4.0 ------ Release Date: 2022-04-20 * Feature * Add CLI for inspecting & clearing rate limits * Bug Fix * Ensure exempt decorator can be used with flags for view functions * Chores * Refactor rate limit resolution to limit manager v2.3.3 ------ Release Date: 2022-04-20 * Bug Fix * Ensure `request.blueprint` is actually registered on the current app before using it for blueprint limits or exemptions. (`Issue 336 <https://github.com/alisaifee/flask-limiter/issues/336>`_) v2.3.2 ------ Release Date: 2022-04-17 * Feature * Extend cost parameter to default & application limits * Chore * Improve type strictness / checking * Improve documentation on landing page v2.3.1 ------ Release Date: 2022-04-14 * Bug Fixes * Add missing extras requirements for installation * Add py.typed for PEP 561 compliance v2.3.0 ------ Release Date: 2022-04-11 * Features * Expose option to register a callback for rate limit breaches of default limits via the :paramref:`~flask_limiter.Limiter.on_breach` constructor parameter * Replace use of `flask.g` with request context for keeping track of extension state (:issue:`327`) * Rework implementation of :meth:`~flask_limiter.Limiter.exempt` to accomodate nested blueprints. (:issue:`326`) * Chores * Add python 3.11 to CI * Extract management and filtering of limits to LimitManager * Improve correctness of resolving inherited limits & extensions when working with Blueprints (especially nested ones) v2.2.0 ------ Release Date: 2022-03-05 * Feature * Allow a function to be used for the ``cost`` parameter to limiter decorators. v2.1.3 ------ Release Date: 2022-01-30 * Chore * Update documentation theme v2.1 ---- Release Date: 2022-01-15 * Feature * Add ``current_limit`` attribute to extension to allow clients to fetch the relevant current limit that was evaluated. * Update extension constructor parameters to match flask config for header control * Add ``on_breach`` callback for ``limit`` and ``shared_limit`` decorators to be used as hooks for when a limit is breached * Add ``cost`` argument to ``limit`` and ``shared_limit`` to control how much is deducted when a hit occurs. * Chore * Improve documentation around configuration * Deprecation * Remove hacks for managing incorrectly ordered limit/route decorators v2.0.4 ------ Release Date: 2021-12-22 * Chore * Documentation theme upgrades * Integrate pytest-docker plugin * Mass linting * Deprecation * Removed deprecated RATELIMIT_GLOBAL config * Added deprecation doc for RATELIMIT_STORAGE_URL config v2.0.3 ------ Release Date: 2021-12-15 Documentation & test tweaks v2.0.2 ------ Release Date: 2021-11-28 * Features * Pin Flask, limits to >= 2 * Add type hints v2.0.1 ------ Release Date: 2021-11-28 * Deprecations * Remove deprecated get_ipaddr method * Remove use of six * Remove backward compatibility hacks for RateLimit exceptions v2.0.0 ------ Release Date: 2021-11-27 Drop support for python < 3.7 & Flask < 2.0 v1.5 ---- Release Date: 2021-11-27 Final Release for python < 3.7 * Features * Prepend ``key_prefix`` to extension variables attached to ``g`` * Expose ``g.view_limits`` v1.4 ---- Release Date: 2020-08-25 * Bug Fix * Always set headers for conditional limits * Skip init_app sequence when the rate limiter is disabled v1.3.1 ------ Release Date: 2020-05-21 * Bug Fix * Ensure headers provided explictely by setting `_header_mapping` take precedence over configuration values. v1.3 ---- Release Date: 2020-05-20 * Features * Add new ``deduct_when`` argument that accepts a function to decorated limits to conditionally perform depletion of a rate limit (`Pull Request 248 <https://github.com/alisaifee/flask-limiter/pull/248>`_) * Add new ``default_limits_deduct_when`` argument to Limiter constructor to conditionally perform depletion of default rate limits * Add ``default_limits_exempt_when`` argument that accepts a function to allow skipping the default limits in the ``before_request`` phase * Bug Fix * Fix handling of storage failures during ``after_request`` phase. * Code Quality * Use github-actions instead of travis for CI * Use pytest instaad of nosetests * Add docker configuration for test dependencies * Increase code coverage to 100% * Ensure pyflake8 compliance v1.2.1 ------ Release Date: 2020-02-26 * Bug fix * Syntax error in version 1.2.0 when application limits are provided through configuration file (`Issue 241 <https://github.com/alisaifee/flask-limiter/issues/241>`_) v1.2.0 ------ Release Date: 2020-02-25 * Add `override_defaults` argument to decorated limits to allow combinined defaults with decorated limits. * Add configuration parameter RATELIMIT_DEFAULTS_PER_METHOD to control whether defaults are applied per method. * Add support for in memory fallback without override (`Pull Request 236 <https://github.com/alisaifee/flask-limiter/pull/236>`_) * Bug fix * Ensure defaults are enforced when decorated limits are skipped (`Issue 238 <https://github.com/alisaifee/flask-limiter/issues/238>`_) v1.1.0 ------ Release Date: 2019-10-02 * Provide Rate limit information with Exception (`Pull Request 202 <https://github.com/alisaifee/flask-limiter/pull/202>`_) * Respect existing Retry-After header values (`Pull Request 143 <https://github.com/alisaifee/flask-limiter/pull/143>`_) * Documentation improvements

alisaifee added a commit that referenced this issue Apr 20, 2022

Add test case to demonstrate issue #336

fa68c33

alisaifee added the bug label Apr 20, 2022

alisaifee self-assigned this Apr 20, 2022

alisaifee closed this as completed Apr 21, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Does not work with debugtoolbar #336

Does not work with debugtoolbar #336

jdimmerman commented Apr 20, 2022 •

edited

Loading

alisaifee commented Apr 20, 2022

alisaifee commented Apr 21, 2022

jdimmerman commented Apr 21, 2022

Does not work with debugtoolbar #336

Does not work with debugtoolbar #336

Comments

jdimmerman commented Apr 20, 2022 • edited Loading

alisaifee commented Apr 20, 2022

alisaifee commented Apr 21, 2022

jdimmerman commented Apr 21, 2022

jdimmerman commented Apr 20, 2022 •

edited

Loading