Skip to content

feat!: Use more-trusted IP in rate-limiting (#241) #30285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
timmc-edx merged 1 commit into from
Apr 20, 2022
Merged

feat!: Use more-trusted IP in rate-limiting (#241) #30285

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions cms/envs/devstack.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -278,3 +278,7 @@ def should_show_debug_toolbar(request): # lint-amnesty, pylint: disable=missing

# Don't form the return redirect URL with HTTPS on devstack
SOCIAL_AUTH_REDIRECT_IS_HTTPS = False

#################### Network configuration ####################
# Devstack is directly exposed to the caller
CLOSEST_CLIENT_IP_FROM_HEADERS = []
4 changes: 4 additions & 0 deletions cms/envs/test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -348,3 +348,7 @@

############### Settings for proctoring ###############
PROCTORING_USER_OBFUSCATION_KEY = 'test_key'

#################### Network configuration ####################
# Tests are not behind any proxies
CLOSEST_CLIENT_IP_FROM_HEADERS = []
4 changes: 4 additions & 0 deletions lms/envs/devstack.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -446,6 +446,10 @@ def should_show_debug_toolbar(request): # lint-amnesty, pylint: disable=missing
#################### Webpack Configuration Settings ##############################
WEBPACK_LOADER['DEFAULT']['TIMEOUT'] = 5

#################### Network configuration ####################
# Devstack is directly exposed to the caller
CLOSEST_CLIENT_IP_FROM_HEADERS = []

################# New settings must go ABOVE this line #################
########################################################################
# See if the developer has any local overrides.
Expand Down
4 changes: 4 additions & 0 deletions lms/envs/test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -624,3 +624,7 @@
# rate limit for /api/v1/save/course/ api
SAVE_FOR_LATER_IP_RATE_LIMIT = '5/d'
SAVE_FOR_LATER_EMAIL_RATE_LIMIT = '5/m'

#################### Network configuration ####################
# Tests are not behind any proxies
CLOSEST_CLIENT_IP_FROM_HEADERS = []
479 changes: 479 additions & 0 deletions openedx/core/djangoapps/util/ip.py
View file
Open in desktop

Large diffs are not rendered by default.

15 changes: 13 additions & 2 deletions openedx/core/djangoapps/util/ratelimit.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,22 @@
"""
from uuid import uuid4

from ipware.ip import get_client_ip
from openedx.core.djangoapps.util import ip


def real_ip(group, request): # pylint: disable=unused-argument
return get_client_ip(request)[0]
"""
Get a client IP suitable for use in rate-limiting.

To prevent evasion of rate-limiting, use the safest (rightmost) IP in the
external IP chain.

(Intended to be called by ``django-ratelimit``, hence the unused argument.)
"""
if ip.USE_LEGACY_IP.is_enabled():
return ip.get_legacy_ip(request)
else:
return ip.get_safest_client_ip(request)


def request_post_email(group, request) -> str: # pylint: disable=unused-argument
Expand Down
Loading