press icon indicating copy to clipboard operation
press copied to clipboard
verified publisher icon frappe

Brute-force attack on monitor token

Open casesolved-co-uk opened this issue 9 months ago • 1 comments

The monitoring.targets call needs a rate-limit or other security measures to protect the monitor token:

https://github.com/frappe/press/blob/768d55c05135e0e62d1af68d8f41ad298fb4b4a4/press/api/monitoring.py#L94-L100

casesolved-co-uk avatar Mar 25 '25 19:03 casesolved-co-uk

Also vulnerable to the extremely theoretical timing attacks, given perfect network conditions, because of the string comparison 😄

To be fair, a long enough token should prevent brute-force attacks, probably.

cogk avatar Mar 26 '25 17:03 cogk