rack-throttle icon indicating copy to clipboard operation
rack-throttle copied to clipboard

Published 20 hours ago verified publisher icon dryruby

Pattern matching bug fix

Open ThomasMcDonnell opened this issue 4 years ago • 4 comments

Pattern matching bug fix for rules based paths. If the path has extra slashes then it is ignored by the rules path_matches? method but the extra slashes are stripped by the most servers and the request is processed.

ThomasMcDonnell avatar Mar 06 '20 17:03 ThomasMcDonnell

Thanks for the first PR! Question, would rack-attack work for your use case instead? I have a PR open to deprecate in favor of it.

FreekingDean avatar Mar 06 '20 17:03 FreekingDean

Hi thanks for the recommendation unfortunately I think it has a minimum ruby version of 2.3, which we are not currently at yet.

ThomasMcDonnell avatar Mar 09 '20 10:03 ThomasMcDonnell

Ah! We are not currently adding additional functionality to rack-throttle as rack-attack is more full featured and better supported.

My fear of adding this is anyone that relies on multiple slashes to differentiate/create rules will have an unexpected change.

FreekingDean avatar Mar 09 '20 14:03 FreekingDean

Yeah thats a fair point all right I never thought of that but I would imagine that the number would be relatively low compared to those who are using the rules as standard.

As it stands now anyone who has not specifically configured their server to not to strip extra slashes and has implemented the rules for rate limiting is open to a potential DOS attack. Going on the assumption that any one limiting the requests for a resource is probably doing so as its relatively labour intensive task, it could easily bring down a production app.

We have extended the limiter for our own use so its easily fixable with out an update anyway I guess.

Nice chatting to any woo, feel free to close the PR 👍

ThomasMcDonnell avatar Mar 30 '20 12:03 ThomasMcDonnell