From e511b02de5e3a4cea608418998878a3937e4bb87 Mon Sep 17 00:00:00 2001 From: KMY Date: Sun, 2 Jun 2024 11:18:01 +0900 Subject: [PATCH 1/2] =?UTF-8?q?Fix:=20=E7=B5=B5=E6=96=87=E5=AD=97=E3=83=AA?= =?UTF-8?q?=E3=82=A2=E3=82=AF=E3=82=B7=E3=83=A7=E3=83=B3=E3=81=AB=E5=8E=B3?= =?UTF-8?q?=E3=81=97=E3=81=84=E3=83=AC=E3=83=BC=E3=83=88=E3=83=AA=E3=83=9F?= =?UTF-8?q?=E3=83=83=E3=83=88=E3=81=8C=E9=81=A9=E7=94=A8=E3=81=95=E3=82=8C?= =?UTF-8?q?=E3=82=8B=E5=95=8F=E9=A1=8C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- config/initializers/rack_attack.rb | 4 +- spec/config/initializers/rack_attack_spec.rb | 46 +++++++++++++++++++- 2 files changed, 48 insertions(+), 2 deletions(-) diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb index 6d8284e2b4..11d99cf89b 100644 --- a/config/initializers/rack_attack.rb +++ b/config/initializers/rack_attack.rb @@ -141,8 +141,10 @@ class Rack::Attack req.session[:attempt_user_id] || req.params.dig('user', 'email').presence if req.post? && req.path_matches?('/auth/sign_in') end + API_CREATE_EMOJI_REACTION_REGEX = %r{\A/api/v1/statuses/\d+/emoji_reactions} + throttle('throttle_password_change/account', limit: 10, period: 10.minutes) do |req| - req.warden_user_id if req.put? || (req.patch? && req.path_matches?('/auth')) + req.warden_user_id if (req.put? && !req.path.match?(API_CREATE_EMOJI_REACTION_REGEX)) || (req.patch? && req.path_matches?('/auth')) end self.throttled_responder = lambda do |request| diff --git a/spec/config/initializers/rack_attack_spec.rb b/spec/config/initializers/rack_attack_spec.rb index 78c4bf03a5..cf8ba4fe35 100644 --- a/spec/config/initializers/rack_attack_spec.rb +++ b/spec/config/initializers/rack_attack_spec.rb @@ -7,7 +7,7 @@ describe Rack::Attack, type: :request do Rails.application end - shared_examples 'throttled endpoint' do + shared_context 'with throttled endpoint base' do before do # Rack::Attack periods are not rolling, so avoid flaky tests by setting the time in a way # to avoid crossing period boundaries. @@ -18,6 +18,10 @@ describe Rack::Attack, type: :request do travel_to Time.zone.at((Time.now.to_i / period.seconds).to_i * period.seconds) end + end + + shared_examples 'throttled endpoint' do + include_examples 'with throttled endpoint base' context 'when the number of requests is lower than the limit' do it 'does not change the request status' do @@ -43,6 +47,28 @@ describe Rack::Attack, type: :request do end end + shared_examples 'does not throttle endpoint' do + include_examples 'with throttled endpoint base' + + context 'when the number of requests is lower than the limit' do + it 'does not change the request status' do + limit.times do + request.call + expect(response).to_not have_http_status(429) + end + end + end + + context 'when the number of requests is higher than the limit' do + it 'returns http too many requests after limit and returns to normal status after period' do + (limit * 2).times do |_i| + request.call + expect(response).to_not have_http_status(429) + end + end + end + end + let(:remote_ip) { '1.2.3.5' } describe 'throttle excessive sign-up requests by IP address' do @@ -145,4 +171,22 @@ describe Rack::Attack, type: :request do it_behaves_like 'throttled endpoint' end + + describe 'throttle excessive emoji reaction requests by account' do + let(:user) { Fabricate(:user, email: 'user@host.example') } + let(:limit) { 10 } + let(:period) { 10.minutes } + let(:request) { -> { put path, headers: { 'REMOTE_ADDR' => remote_ip } } } + let(:status) { Fabricate(:status) } + let(:emoji) { Fabricate(:custom_emoji) } + let(:path) { "/api/v1/statuses/#{status.id}/emoji_reactions/#{emoji.shortcode}" } + + before do + sign_in user, scope: :user + + get '/' + end + + it_behaves_like 'does not throttle endpoint' + end end From 75d7e4fbddb4870df39f6698783a5fcf8a61fdbb Mon Sep 17 00:00:00 2001 From: KMY Date: Sun, 2 Jun 2024 11:21:40 +0900 Subject: [PATCH 2/2] Bump version to 5.20 LTS --- lib/mastodon/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/mastodon/version.rb b/lib/mastodon/version.rb index 4071ff3e81..9028ba8d47 100644 --- a/lib/mastodon/version.rb +++ b/lib/mastodon/version.rb @@ -9,7 +9,7 @@ module Mastodon end def kmyblue_minor - 19 + 20 end def kmyblue_flag