Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BED-5301/5298: PenTest Result: Internal IP Address Disclosure AND Rate limit Bypass #1163

Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

BED-5301/5298: PenTest Result: Internal IP Address Disclosure AND Rate limit Bypass #1163

wants to merge 11 commits into from
+122 −124

Conversation

ALCooper12
Copy link
Contributor

@ALCooper12 ALCooper12 commented Feb 21, 2025
edited
Loading

Description

  • Replaced the tollbooth library/module with https://github.com/ulule/limiter in order to implement our current rate limiting middleware logic
  • I also implemented a new middleware specifically for the /api/v2/login endpoint in order to address part of the requirements for BED-5300

Motivation and Context

This PR addresses:

  • BED-5301
  • BED-5298
  • A little bit of BED-5300

Why is this change required? What problem does it solve?

  • This enables BHCE to follow stronger security practices, mitigate risks, and contribute to an overall improved security posture

How Has This Been Tested?

  • Local testing within the UI and terminal

Screenshots (optional):

UI
Screenshot 2025-02-27 at 3 44 11 PM

Terminal
Screenshot 2025-02-21 at 2 40 26 PM

Types of changes

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

@ALCooper12
Added the ulule/limiter library(module) to replace tollbooth for impl…
9b940bc 
…ementing our current rate limiting middleware logic
@ALCooper12 ALCooper12 added the bug Something isn't working label Feb 21, 2025
@ALCooper12 ALCooper12 self-assigned this Feb 21, 2025
@ALCooper12 ALCooper12 added the work in progress This pull request is a work in progress and should not be merged label Feb 21, 2025
@ALCooper12 ALCooper12 removed the work in progress This pull request is a work in progress and should not be merged label Feb 25, 2025
ddlees
ddlees reviewed Feb 28, 2025
View reviewed changes
cmd/api/src/config/config.go
@@ -166,6 +166,7 @@ type Configuration struct {
FedRAMPEULAText string `json:"fedramp_eula_text"` // Enterprise only
EnableTextLogger bool `json:"enable_text_logger"`
RecreateDefaultAdmin bool `json:"recreate_default_admin"`
TrustedProxies int `json:"trusted_proxies"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need this configuration value and can assume only 1 reverse proxy for the majority of cases. Otherwise, we might consider defaulting to 1 instead because coordinating configuration changes for production deployments is painful.

ddlees
ddlees requested changes Feb 28, 2025
View reviewed changes
Copy link
Contributor

@ddlees ddlees left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly good but we need to revise IP selection a bit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@superlinkx superlinkx superlinkx left review comments

@ddlees ddlees ddlees requested changes

@computator computator Awaiting requested review from computator

Requested changes must be addressed to merge this pull request.

Assignees

@ALCooper12 ALCooper12

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ALCooper12 @superlinkx @computator @ddlees