From: Dylan William Hardison <dylan@hardison.net>
Date: Wed, 19 Dec 2018 21:24:36 +0000 (-0500)
Subject: bug 1515405 : Add rate limiting for comments and attachment accesses
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3f597ccfb0d058a632069cbaf4846337b2b4b61d;p=thirdparty%2Fbugzilla.git

bug 1515405 : Add rate limiting for comments and attachment accesses
---

diff --git a/Bugzilla/Config/Admin.pm b/Bugzilla/Config/Admin.pm
index 9d9e47d6e..b1b9371a5 100644
--- a/Bugzilla/Config/Admin.pm
+++ b/Bugzilla/Config/Admin.pm
@@ -39,7 +39,7 @@ sub get_param_list {
     {
       name    => 'rate_limit_rules',
       type    => 'l',
-      default => '{"get_bug": [75, 60], "show_bug": [75, 60], "github": [10, 60]}',
+      default => default_rate_limit_rules(),
       checker => \&check_rate_limit_rules,
       updater => \&update_rate_limit_rules,
     },
@@ -51,6 +51,16 @@ sub get_param_list {
   return @param_list;
 }
 
+sub default_rate_limit_rules {
+  return encode_json({
+    get_bug         => [75, 60],
+    show_bug        => [75, 60],
+    github          => [10, 60],
+    get_attachments => [75, 60],
+    get_comments    => [75, 60],
+  });
+}
+
 sub check_rate_limit_rules {
   my $rules = shift;
 
@@ -62,7 +72,11 @@ sub check_rate_limit_rules {
   }
   values %$val;
 
-  foreach my $required (qw( show_bug get_bug github )) {
+  my @required = qw(
+    show_bug github get_bug
+    get_attachments get_comments
+  );
+  foreach my $required (@required) {
     return "missing $required" unless exists $val->{$required};
   }
 
@@ -72,7 +86,9 @@ sub check_rate_limit_rules {
 sub update_rate_limit_rules {
   my ($rules) = @_;
   my $val = decode_json($rules);
-  $val->{github} = [10, 60];
+  $val->{github}          = [10, 60];
+  $val->{get_attachments} = [75, 60];
+  $val->{get_comments}    = [75, 60];
   return encode_json($val);
 }
 
diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm
index e4727ed56..0f25b9461 100644
--- a/Bugzilla/WebService/Bug.pm
+++ b/Bugzilla/WebService/Bug.pm
@@ -314,6 +314,10 @@ sub comments {
   my $dbh  = Bugzilla->switch_to_shadow_db();
   my $user = Bugzilla->user;
 
+  unless (Bugzilla->user->id) {
+    Bugzilla->check_rate_limit("get_comments", remote_ip());
+  }
+
   my %bugs;
   foreach my $bug_id (@$bug_ids) {
     my $bug = Bugzilla::Bug->check($bug_id);
@@ -1257,6 +1261,10 @@ sub attachments {
   my $ids        = $params->{ids}            || [];
   my $attach_ids = $params->{attachment_ids} || [];
 
+  unless (Bugzilla->user->id) {
+    Bugzilla->check_rate_limit("get_attachments", remote_ip());
+  }
+
   my %bugs;
   foreach my $bug_id (@$ids) {
     my $bug = Bugzilla::Bug->check($bug_id);