Add request throttling (#1108)

gitcoinco · Feb 23, 2020 · a8ac567 · a8ac567
1 parent f4ddaa8
commit a8ac567
Show file tree

Hide file tree

Showing 3 changed files with 96 additions and 0 deletions.
diff --git a/app/lib/property_id_extractor.rb b/app/lib/property_id_extractor.rb
@@ -0,0 +1,13 @@
+module PropertyIdExtractor
+  def self.extract_property_id(path)
+    if /\/funder/.match?(path)
+      path.scan(/(?<=\/properties\/)[0-9a-z-]+(?=\/funder.*)/i).first
+    elsif /\/embed/.match?(path)
+      path.scan(/(?<=\/scripts\/)[0-9a-z-]+(?=\/embed.*)/i).first
+    elsif /\/t\/s\//.match?(path)
+      path.scan(/(?<=\/t\/s\/)[0-9a-z-]+(?=\/details.*)/i).first
+    elsif /\/api\/v1\/impression\//.match?(path)
+      path.scan(/(?<=\/api\/v1\/impression\/)[0-9a-z-]+(?=\/|\?|\z)/i).first
+    end
+  end
+end
diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
@@ -2,10 +2,12 @@
   164.163.204.112
 ]
 
+# Block known bad actors
 bad_actor_ip_addresses.each do |ip_address|
   Rack::Attack.blocklist_ip ip_address
 end
 
+# Block IPs that attempt SQL injection
 Rack::Attack.blocklist("sql-injection") do |request|
   Rack::Attack::Fail2Ban.filter("sql-injection-#{request.ip}", maxretry: 1, findtime: 1.hour, bantime: 1.day) do
     path = CGI.unescape(request.path).downcase
@@ -16,3 +18,15 @@
       (path.include?("select") && path.include?("from"))
   end
 end
+
+if Rails.env.production?
+  # Throttle all IPs to 20 requests/minute
+  Rack::Attack.throttle("requests by ip", limit: 20, period: 1.minute.to_i) do |request|
+    request.ip
+  end
+
+  # Throttle ads per property to 120/minute i.e. max of 172,800/day
+  Rack::Attack.throttle("limit logins per email", limit: 120, period: 1.minute.to_i) do |req|
+    PropertyIdExtractor.extract_property_id req.path
+  end
+end
diff --git a/test/lib/property_id_extractor_test.rb b/test/lib/property_id_extractor_test.rb
@@ -0,0 +1,69 @@
+require "test_helper"
+
+class PropertyIdExtractorTest < ActiveSupport::TestCase
+  test "/properties/:property_id/funder.js integer" do
+    property_id = rand(9999)
+    path = "/properties/#{property_id}/funder.js"
+    assert PropertyIdExtractor.extract_property_id(path) == property_id.to_s
+  end
+
+  test "/properties/:property_id/funder.js integer with querystring" do
+    property_id = rand(9999)
+    path = "/properties/#{property_id}/funder.js?template=default&theme=unstyled"
+    assert PropertyIdExtractor.extract_property_id(path) == property_id.to_s
+  end
+
+  test "/properties/:property_id/funder.js legacy_id" do
+    legacy_id = SecureRandom.uuid
+    path = "/properties/#{legacy_id}/funder.js"
+    assert PropertyIdExtractor.extract_property_id(path) == legacy_id
+  end
+
+  test "/properties/:property_id/funder.json integer" do
+    property_id = rand(9999)
+    path = "/properties/#{property_id}/funder.json"
+    assert PropertyIdExtractor.extract_property_id(path) == property_id.to_s
+  end
+
+  test "/properties/:property_id/funder.html integer" do
+    property_id = rand(9999)
+    path = "/properties/#{property_id}/funder.html"
+    assert PropertyIdExtractor.extract_property_id(path) == property_id.to_s
+  end
+
+  test "/scripts/:legacy_id/embed.js" do
+    legacy_id = SecureRandom.uuid
+    path = "/scripts/#{legacy_id}/embed.js"
+    assert PropertyIdExtractor.extract_property_id(path) == legacy_id
+  end
+
+  test "/scripts/:legacy_id/embed.js with querystring" do
+    legacy_id = SecureRandom.uuid
+    path = "/scripts/#{legacy_id}/embed.js?template=bottom-bar"
+    assert PropertyIdExtractor.extract_property_id(path) == legacy_id
+  end
+
+  test "/t/s/:legacy_id/details" do
+    legacy_id = SecureRandom.uuid
+    path = "/t/s/#{legacy_id}/details"
+    assert PropertyIdExtractor.extract_property_id(path) == legacy_id
+  end
+
+  test "/t/s/:legacy_id/details with querystring" do
+    legacy_id = SecureRandom.uuid
+    path = "/t/s/#{legacy_id}/details?template=square&theme=dark"
+    assert PropertyIdExtractor.extract_property_id(path) == legacy_id
+  end
+
+  test "/api/v1/impression/:legacy_id" do
+    legacy_id = SecureRandom.uuid
+    path = "/api/v1/impression/#{legacy_id}"
+    assert PropertyIdExtractor.extract_property_id(path) == legacy_id
+  end
+
+  test "/api/v1/impression/:legacy_id with querystring?template=text" do
+    legacy_id = SecureRandom.uuid
+    path = "/api/v1/impression/#{legacy_id}"
+    assert PropertyIdExtractor.extract_property_id(path) == legacy_id
+  end
+end