Updated Rack Attack configuration to address vulnerabilities in passw…

…ord updates. Changes: The fix involves adding a new Rack Attack rule "profile_updates/ip" and rewriting the body of the rules "password_resets/ip" and "logins/ip" so the the request ip is returned if the rule is triggered.
DMPRoadmap · Sep 24, 2024 · acf5961 · acf5961
1 parent 56759df
commit acf5961
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,7 @@
 # Changelog
 
+- Updated Rack Attack configuration to address vulnerabilities in password updates.
+
 ## v4.2.0
 
 **Note this upgrade is mainly a migration from Bootstrap 3 to Bootstrap 5.** 

diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
@@ -16,11 +16,17 @@
 
 # Throttle attempts to a particular path. 2 POSTs to /users/password every 30 seconds
 Rack::Attack.throttle "password_resets/ip", limit: 2, period: 30.seconds do |req|
-  req.post? && req.path == "/users/password" && req.ip
+  req.ip if req.post? && req.path == "/users/password"
 end
 
 # Throttle attempts to a particular path. 4 POSTs to /users/sign_in every 30 seconds
 Rack::Attack.throttle "logins/ip", limit: 4, period: 30.seconds do |req|
   # Don't apply sign-in rate-limiting to test environment
-  req.post? && req.path == "/users/sign_in" && req.ip unless Rails.env.test?
+  (req.ip if req.post? && req.path == "/users/sign_in") unless Rails.env.test?
+end
+
+# Throttle attempts to a particular path. 2 POST or PUTS to /users every 30 seconds
+# This includes password updates.
+Rack::Attack.throttle "profile_updates/ip", limit: 2, period: 30.seconds do |req|
+  req.ip if (req.put? || req.post?) && req.path == "/users"
 end