Vulnerability: No rate limit on reset password link #3214
Assignees
Labels
Comments
martaribeiro
added
usability
vulnerability
|
Solution: insert a minimum time in between password resets, e.g. 2 mins. |
|
@dsisu to investigate whether there is an industry practice on limits to number of password changes |
|
Going to use Rack-attack gem https://rubygems.org/gems/rack-attack/versions/6.6.1 as suggested by @briri. |
johnpinto1
pushed a commit
that referenced
this issue
Dec 8, 2022
resetting the password. The Rack-Attack middleware for blocking & throttling abusive requests is being used. https://github.com/rack/rack-attack/blob/6-stable/README.md Changes: - Added rack-attack version 6.6.1 gem. https://rubygems.org/gems/rack-attack/versions/6.6.1 - Added config/initializers/rack_attack.rb: - The rack-attack functionality is enabled with Rack::Attack.enabled = true but may be switched off Rack::Attack.enabled = false. - Password reset requests are currently throttled from an ip addr from an ip address for POSTs to path /users/passwords and is limited 2 requests every 30 seconds. ess - Login requests are throttled from an ip address for POSTs to path /users/sign_in and is limited 4 requests every 30 seconds. - A new html page public/429.html with title "Too Many Request" is added.
johnpinto1
pushed a commit
that referenced
this issue
Dec 8, 2022
resetting the password. The Rack-Attack middleware for blocking & throttling abusive requests is being used. https://github.com/rack/rack-attack/blob/6-stable/README.md Changes: - Added rack-attack version 6.6.1 gem. https://rubygems.org/gems/rack-attack/versions/6.6.1 - Added config/initializers/rack_attack.rb: - The rack-attack functionality is enabled with Rack::Attack.enabled = true but may be switched off Rack::Attack.enabled = false. - Password reset requests are currently throttled from from an IP address for POSTs to path /users/passwords and is limited 2 requests every 30 seconds. ess - Login requests are throttled from an IP address for POSTs to path /users/sign_in and is limited 4 requests every 30 seconds. - A new html page public/429.html with title "Too Many Request" is added.
johnpinto1
pushed a commit
that referenced
this issue
Dec 19, 2022
resetting the password. The Rack-Attack middleware for blocking & throttling abusive requests is being used. https://github.com/rack/rack-attack/blob/6-stable/README.md Changes: - Added rack-attack version 6.6.1 gem. https://rubygems.org/gems/rack-attack/versions/6.6.1 - Added config/initializers/rack_attack.rb: - The rack-attack functionality is enabled with Rack::Attack.enabled = true but may be switched off Rack::Attack.enabled = false. - Password reset requests are currently throttled from from an IP address for POSTs to path /users/passwords and is limited 2 requests every 30 seconds. ess - Login requests are throttled from an IP address for POSTs to path /users/sign_in and is limited 4 requests every 30 seconds. - A new html page public/429.html with title "Too Many Request" is added.
johnpinto1
pushed a commit
that referenced
this issue
Dec 19, 2022
resetting the password. The Rack-Attack middleware for blocking & throttling abusive requests is being used. https://github.com/rack/rack-attack/blob/6-stable/README.md Changes: - Added rack-attack version 6.6.1 gem. https://rubygems.org/gems/rack-attack/versions/6.6.1 - Added config/initializers/rack_attack.rb: - The rack-attack functionality is enabled with Rack::Attack.enabled = true but may be switched off Rack::Attack.enabled = false. - Password reset requests are currently throttled from from an IP address for POSTs to path /users/passwords and is limited 2 requests every 30 seconds. ess - Login requests are throttled from an IP address for POSTs to path /users/sign_in and is limited 4 requests every 30 seconds. - A new html page public/429.html with title "Too Many Request" is added.
johnpinto1
pushed a commit
that referenced
this issue
Jan 10, 2023
resetting the password. The Rack-Attack middleware for blocking & throttling abusive requests is being used. https://github.com/rack/rack-attack/blob/6-stable/README.md Changes: - Added rack-attack version 6.6.1 gem. https://rubygems.org/gems/rack-attack/versions/6.6.1 - Added config/initializers/rack_attack.rb: - The rack-attack functionality is enabled with Rack::Attack.enabled = true but may be switched off Rack::Attack.enabled = false. - Password reset requests are currently throttled from from an IP address for POSTs to path /users/passwords and is limited 2 requests every 30 seconds. ess - Login requests are throttled from an IP address for POSTs to path /users/sign_in and is limited 4 requests every 30 seconds. - A new html page public/429.html with title "Too Many Request" is added.
briri
added a commit
that referenced
this issue
Mar 24, 2023
…te_limit_on_reset_password_link Fix for bug #3214 which had noted there was no request rate limit to - WIP
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Please complete the following fields as applicable:
What version of the DMPRoadmap code are you running? (e.g. v2.2.0)
Roadmap V3.1.1
Expected behaviour:
Only send one reset password email within a certain period of time.
Actual behaviour:
DESCRIPTION: A user will get many password reset link in the mailbox and unwanted traffic will be generated in the mailbox
STEPS TO REPRODUCE:
IMPACT: User inbox will generated unwanted password in their mailbox
Steps to reproduce:
Set a number of emails sent in a certain period of time when reseting password
The text was updated successfully, but these errors were encountered: