From 5a290d8ec67a459f2eed65201725d902bd34fc43 Mon Sep 17 00:00:00 2001 From: Daniel Date: Thu, 26 Jan 2023 00:35:39 +1100 Subject: [PATCH] fix: Rate limiter may reject requests that contain a session token (#8399) --- spec/RateLimit.spec.js | 21 +++++++++++++++++++++ src/middlewares.js | 17 +++++++++++++---- 2 files changed, 34 insertions(+), 4 deletions(-) diff --git a/spec/RateLimit.spec.js b/spec/RateLimit.spec.js index 60aff61381..10bc127719 100644 --- a/spec/RateLimit.spec.js +++ b/spec/RateLimit.spec.js @@ -19,6 +19,27 @@ describe('rate limit', () => { ); }); + it('can limit cloud functions with user session token', async () => { + await Parse.User.signUp('myUser', 'password'); + Parse.Cloud.define('test', () => 'Abc'); + await reconfigureServer({ + rateLimit: [ + { + requestPath: '/functions/*', + requestTimeWindow: 10000, + requestCount: 1, + errorResponseMessage: 'Too many requests', + includeInternalRequests: true, + }, + ], + }); + const response1 = await Parse.Cloud.run('test'); + expect(response1).toBe('Abc'); + await expectAsync(Parse.Cloud.run('test')).toBeRejectedWith( + new Parse.Error(Parse.Error.CONNECTION_FAILED, 'Too many requests') + ); + }); + it('can add global limit', async () => { Parse.Cloud.define('test', () => 'Abc'); await reconfigureServer({ diff --git a/src/middlewares.js b/src/middlewares.js index 46c4a32a43..788c9a3f62 100644 --- a/src/middlewares.js +++ b/src/middlewares.js @@ -276,7 +276,13 @@ const handleRateLimit = async (req, res, next) => { if (pathExp.test(req.url)) { await limit.handler(req, res, err => { if (err) { - throw err; + if (err.code === Parse.Error.CONNECTION_FAILED) { + throw err; + } + req.config.loggerController.error( + 'An unknown error occured when attempting to apply the rate limiter: ', + err + ); } }); } @@ -284,7 +290,7 @@ const handleRateLimit = async (req, res, next) => { ); } catch (error) { res.status(429); - res.json({ code: Parse.Error.CONNECTION_FAILED, error }); + res.json({ code: Parse.Error.CONNECTION_FAILED, error: error.message }); return; } next(); @@ -477,7 +483,10 @@ export const addRateLimit = (route, config) => { max: route.requestCount, message: route.errorResponseMessage || RateLimitOptions.errorResponseMessage.default, handler: (request, response, next, options) => { - throw options.message; + throw { + code: Parse.Error.CONNECTION_FAILED, + message: options.message, + }; }, skip: request => { if (request.ip === '127.0.0.1' && !route.includeInternalRequests) { @@ -498,7 +507,7 @@ export const addRateLimit = (route, config) => { } } } - return request.auth.isMaster; + return request.auth?.isMaster; }, keyGenerator: request => { return request.config.ip;