import/export: always rate limit import and exports

This is a departure from previous versions, which did not limit import/export requests. Now such requests are ALWAYS rate limited. The default is 10 requests per IP each 90 seconds, and also applies to old instances upgraded to 1.8.3. Administrators can tune the parameters via settings.importExportRateLimiting.
ether · Apr 4, 2020 · 56ece63 · 56ece63
1 parent 0d70b67
commit 56ece63
Show file tree

Hide file tree

Showing 6 changed files with 69 additions and 0 deletions.
diff --git a/settings.json.docker b/settings.json.docker
@@ -404,6 +404,23 @@
  "indentationOnNewLine": false,
  */
 
+ /*
+ * From Etherpad 1.8.3 onwards, import and export of pads is always rate
+ * limited.
+ *
+ * The default is to allow at most 10 requests per IP in a 90 seconds window.
+ * After that the import/export request is rejected.
+ *
+ * See https://github.com/nfriedly/express-rate-limit for more options
+ */
+ "importExportRateLimiting": {
+ // duration of the rate limit window (milliseconds)
+ "windowMs": 90000,
+
+ // maximum number of requests per IP to allow during the rate limit window
+ "max": 10
+ },
+
  /*
  * If true, importing to a pad is allowed only if an author has a session
  * estabilished and has already contributed to that specific pad.

diff --git a/settings.json.template b/settings.json.template
@@ -409,6 +409,23 @@
  "indentationOnNewLine": false,
  */
 
+ /*
+ * From Etherpad 1.8.3 onwards, import and export of pads is always rate
+ * limited.
+ *
+ * The default is to allow at most 10 requests per IP in a 90 seconds window.
+ * After that the import/export request is rejected.
+ *
+ * See https://github.com/nfriedly/express-rate-limit for more options
+ */
+ "importExportRateLimiting": {
+ // duration of the rate limit window (milliseconds)
+ "windowMs": 90000,
+
+ // maximum number of requests per IP to allow during the rate limit window
+ "max": 10
+ },
+
  /*
  * If true, importing to a pad is allowed only if an author has a session
  * estabilished and has already contributed to that specific pad.

diff --git a/src/node/hooks/express/importexport.js b/src/node/hooks/express/importexport.js
@@ -4,10 +4,21 @@ var exportHandler = require('../../handler/ExportHandler');
 var importHandler = require('../../handler/ImportHandler');
 var padManager = require("../../db/PadManager");
 var authorManager = require("../../db/AuthorManager");
+const rateLimit = require("express-rate-limit");
+
+settings.importExportRateLimiting.onLimitReached = function(req, res, options) {
+ // when the rate limiter triggers, write a warning in the logs
+ const ip = req.headers["x-forwarded-for"] || req.connection.remoteAddress;
+
+ console.warn(`Rate limiter triggered for IP address ${ip}`);
+}
+
+var limiter = rateLimit(settings.importExportRateLimiting);
 
 exports.expressCreateServer = function (hook_name, args, cb) {
 
  // handle export requests
+ args.app.use('/p/:pad/:rev?/export/:type', limiter);
  args.app.get('/p/:pad/:rev?/export/:type', async function(req, res, next) {
  var types = ["pdf", "doc", "txt", "html", "odt", "etherpad"];
  //send a 404 if we don't support this filetype
@@ -40,6 +51,7 @@ exports.expressCreateServer = function (hook_name, args, cb) {
  });
 
  // handle import requests
+ args.app.use('/p/:pad/import', limiter);
  args.app.post('/p/:pad/import', async function(req, res, next) {
  if (await hasPadAccess(req, res)) {
  let exists = await padManager.doesPadExists(req.params.pad);

diff --git a/src/node/utils/Settings.js b/src/node/utils/Settings.js
@@ -298,6 +298,23 @@ exports.scrollWhenFocusLineIsOutOfViewport = {
  */
 exports.exposeVersion = false;
 
+/*
+ * From Etherpad 1.8.3 onwards, import and export of pads is always rate
+ * limited.
+ *
+ * The default is to allow at most 10 requests per IP in a 90 seconds window.
+ * After that the import/export request is rejected.
+ *
+ * See https://github.com/nfriedly/express-rate-limit for more options
+ */
+exports.importExportRateLimiting = {
+ // duration of the rate limit window (milliseconds)
+ "windowMs": 90000,
+
+ // maximum number of requests per IP to allow during the rate limit window
+ "max": 10
+};
+
 /*
  * If true, importing to a pad is allowed only if an author has a session
  * estabilished and has already contributed to that specific pad.

diff --git a/src/package-lock.json b/src/package-lock.json
diff --git a/src/package.json b/src/package.json
@@ -40,6 +40,7 @@
  "etherpad-require-kernel": "1.0.9",
  "etherpad-yajsml": "0.0.2",
  "express": "4.17.1",
+ "express-rate-limit": "5.1.1",
  "express-session": "1.17.0",
  "find-root": "1.1.0",
  "formidable": "1.2.1",