From 0be5c06497b69812a971120593c0d9ac6e03ad64 Mon Sep 17 00:00:00 2001 From: Lennart kats Date: Fri, 15 Apr 2016 14:39:48 +0000 Subject: [PATCH 1/3] Rate limit preview per username --- plugins/c9.preview/preview.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plugins/c9.preview/preview.js b/plugins/c9.preview/preview.js index 0f2c1a98..0169266c 100644 --- a/plugins/c9.preview/preview.js +++ b/plugins/c9.preview/preview.js @@ -20,7 +20,7 @@ define(function(require, exports, module) { var handler = imports["preview.handler"]; var userContent = imports["user-content.redirect"]; var getVfsServers = imports["vfs.serverlist"].getServers; - + var ratelimit = require("c9/ratelimit"); var frontdoor = require("frontdoor"); var error = require("http-error"); @@ -52,6 +52,7 @@ define(function(require, exports, module) { }, [ requestTimeout(15*60*1000), require("./lib/middleware/sanitize-path-param"), + ratelimit("username", 10 * 1000, 2000), handler.getProjectSession(), handler.getRole(db), handler.getProxyUrl(function() { From 0c0f7c4ea254695c3e5ce08f7974dc05e62cce13 Mon Sep 17 00:00:00 2001 From: Lennart kats Date: Fri, 15 Apr 2016 14:56:30 +0000 Subject: [PATCH 2/3] Block geckolala specifically --- plugins/c9.preview/preview.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/plugins/c9.preview/preview.js b/plugins/c9.preview/preview.js index 0169266c..26722efe 100644 --- a/plugins/c9.preview/preview.js +++ b/plugins/c9.preview/preview.js @@ -53,6 +53,11 @@ define(function(require, exports, module) { requestTimeout(15*60*1000), require("./lib/middleware/sanitize-path-param"), ratelimit("username", 10 * 1000, 2000), + function(req, res, next) { + if (req.params.username === "geckolala") + return next(new error.TooManyRequests("Rate limit exceeded")); + next(); + }, handler.getProjectSession(), handler.getRole(db), handler.getProxyUrl(function() { From 8eecdc65cbc0b2da831c216f808cb760acbc1da8 Mon Sep 17 00:00:00 2001 From: Lennart kats Date: Fri, 15 Apr 2016 15:40:01 +0000 Subject: [PATCH 3/3] Move hack --- .../connect-architect/connect.session/session-ext.js | 10 ++++++++++ plugins/c9.preview/preview.js | 7 +------ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/node_modules/connect-architect/connect.session/session-ext.js b/node_modules/connect-architect/connect.session/session-ext.js index 367125a8..3b8fc9e9 100644 --- a/node_modules/connect-architect/connect.session/session-ext.js +++ b/node_modules/connect-architect/connect.session/session-ext.js @@ -1,5 +1,6 @@ var Session = require("connect").session; var assert = require("assert"); +var error = require("http-error"); module.exports = function startup(options, imports, register) { @@ -29,6 +30,15 @@ module.exports = function startup(options, imports, register) { var sessionRoutes = connectModule(); connect.useSession(sessionRoutes); + + sessionRoutes.use( + function(req, res, next) { + if (/^\/geckolala\//.test(req.url)) + return next(new error.TooManyRequests("Rate limit exceeded")); + next(); + } + ); + sessionRoutes.use(Session(sessionOptions, cookie)); register(null, { diff --git a/plugins/c9.preview/preview.js b/plugins/c9.preview/preview.js index 26722efe..657df128 100644 --- a/plugins/c9.preview/preview.js +++ b/plugins/c9.preview/preview.js @@ -52,12 +52,7 @@ define(function(require, exports, module) { }, [ requestTimeout(15*60*1000), require("./lib/middleware/sanitize-path-param"), - ratelimit("username", 10 * 1000, 2000), - function(req, res, next) { - if (req.params.username === "geckolala") - return next(new error.TooManyRequests("Rate limit exceeded")); - next(); - }, + ratelimit("username", 20 * 1000, 1000), handler.getProjectSession(), handler.getRole(db), handler.getProxyUrl(function() {