Added shitty basic rate limiting (CodeQL)

3 years ago · e34a980106
parent 9c718b3384
commit e34a980106
3 changed files with 81 additions and 0 deletions
--- a/package-lock.json
+++ b/package-lock.json
@ -25,6 +25,7 @@
        "discord-webhook-node": "^1.1.8",
        "escape-html": "^1.0.3",
        "express": "^4.17.3",
+        "express-brute": "^1.0.1",
        "express-busboy": "^8.0.2",
        "ffmpeg-static": "^4.4.0",
        "fs-extra": "^10.0.1",
@ -46,6 +47,7 @@
      "devDependencies": {
        "@types/escape-html": "^1.0.1",
        "@types/express": "^4.17.13",
+        "@types/express-brute": "^1.0.1",
        "@types/express-busboy": "^8.0.0",
        "@types/ffmpeg-static": "^3.0.0",
        "@types/fs-extra": "^9.0.12",
@ -512,6 +514,15 @@
        "@types/serve-static": "*"
      }
    },
+    "node_modules/@types/express-brute": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@types/express-brute/-/express-brute-1.0.1.tgz",
+      "integrity": "sha512-rG4YWh+tIDvwupiPwuLaz0fEpFE7ShLOX59ZdejMQ4jYlshmxtN5KjB7VFGsggk4TmeVnoHF7QrwLwan2wj8cg==",
+      "dev": true,
+      "dependencies": {
+        "@types/express": "*"
+      }
+    },
    "node_modules/@types/express-busboy": {
      "version": "8.0.0",
      "resolved": "https://registry.npmjs.org/@types/express-busboy/-/express-busboy-8.0.0.tgz",
@ -2131,6 +2142,18 @@
        "node": ">= 0.10.0"
      }
    },
+    "node_modules/express-brute": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/express-brute/-/express-brute-1.0.1.tgz",
+      "integrity": "sha512-ieZmwox3oIZdQCVjvvnwQvrKQumWdb/JjmC9mWplF42AuHCBXr6Yk/I+nLTRQx+9F+2aapOW9kYLwA6xIlwA9g==",
+      "dependencies": {
+        "long-timeout": "~0.1.1",
+        "underscore": "~1.8.3"
+      },
+      "peerDependencies": {
+        "express": "4.x"
+      }
+    },
    "node_modules/express-busboy": {
      "version": "8.0.2",
      "resolved": "https://registry.npmjs.org/express-busboy/-/express-busboy-8.0.2.tgz",
@ -2968,6 +2991,11 @@
        "lodash._baseuniq": "~4.6.0"
      }
    },
+    "node_modules/long-timeout": {
+      "version": "0.1.1",
+      "resolved": "https://registry.npmjs.org/long-timeout/-/long-timeout-0.1.1.tgz",
+      "integrity": "sha512-BFRuQUqc7x2NWxfJBCyUrN8iYUYznzL9JROmRz1gZ6KlOIgmoD+njPVbb+VNn2nGMKggMsK79iUNErillsrx7w=="
+    },
    "node_modules/lru-cache": {
      "version": "6.0.0",
      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz",
@ -5204,6 +5232,11 @@
        "node": ">=4.2.0"
      }
    },
+    "node_modules/underscore": {
+      "version": "1.8.3",
+      "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.8.3.tgz",
+      "integrity": "sha512-5WsVTFcH1ut/kkhAaHf4PVgI8c7++GiVcpCGxPouI6ZVjsqPnSDf8h/8HtVqc0t4fzRXwnMK70EcZeAs3PIddg=="
+    },
    "node_modules/universalify": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/universalify/-/universalify-2.0.0.tgz",
@ -5859,6 +5892,15 @@
        "@types/serve-static": "*"
      }
    },
+    "@types/express-brute": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@types/express-brute/-/express-brute-1.0.1.tgz",
+      "integrity": "sha512-rG4YWh+tIDvwupiPwuLaz0fEpFE7ShLOX59ZdejMQ4jYlshmxtN5KjB7VFGsggk4TmeVnoHF7QrwLwan2wj8cg==",
+      "dev": true,
+      "requires": {
+        "@types/express": "*"
+      }
+    },
    "@types/express-busboy": {
      "version": "8.0.0",
      "resolved": "https://registry.npmjs.org/@types/express-busboy/-/express-busboy-8.0.0.tgz",
@ -7128,6 +7170,15 @@
        "vary": "~1.1.2"
      }
    },
+    "express-brute": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/express-brute/-/express-brute-1.0.1.tgz",
+      "integrity": "sha512-ieZmwox3oIZdQCVjvvnwQvrKQumWdb/JjmC9mWplF42AuHCBXr6Yk/I+nLTRQx+9F+2aapOW9kYLwA6xIlwA9g==",
+      "requires": {
+        "long-timeout": "~0.1.1",
+        "underscore": "~1.8.3"
+      }
+    },
    "express-busboy": {
      "version": "8.0.2",
      "resolved": "https://registry.npmjs.org/express-busboy/-/express-busboy-8.0.2.tgz",
@ -7787,6 +7838,11 @@
        "lodash._baseuniq": "~4.6.0"
      }
    },
+    "long-timeout": {
+      "version": "0.1.1",
+      "resolved": "https://registry.npmjs.org/long-timeout/-/long-timeout-0.1.1.tgz",
+      "integrity": "sha512-BFRuQUqc7x2NWxfJBCyUrN8iYUYznzL9JROmRz1gZ6KlOIgmoD+njPVbb+VNn2nGMKggMsK79iUNErillsrx7w=="
+    },
    "lru-cache": {
      "version": "6.0.0",
      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz",
@ -9373,6 +9429,11 @@
      "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.6.3.tgz",
      "integrity": "sha512-yNIatDa5iaofVozS/uQJEl3JRWLKKGJKh6Yaiv0GLGSuhpFJe7P3SbHZ8/yjAHRQwKRoA6YZqlfjXWmVzoVSMw=="
    },
+    "underscore": {
+      "version": "1.8.3",
+      "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.8.3.tgz",
+      "integrity": "sha512-5WsVTFcH1ut/kkhAaHf4PVgI8c7++GiVcpCGxPouI6ZVjsqPnSDf8h/8HtVqc0t4fzRXwnMK70EcZeAs3PIddg=="
+    },
    "universalify": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/universalify/-/universalify-2.0.0.tgz",
--- a/package.json
+++ b/package.json
@ -54,6 +54,7 @@
    "discord-webhook-node": "^1.1.8",
    "escape-html": "^1.0.3",
    "express": "^4.17.3",
+    "express-brute": "^1.0.1",
    "express-busboy": "^8.0.2",
    "ffmpeg-static": "^4.4.0",
    "fs-extra": "^10.0.1",
@ -75,6 +76,7 @@
  "devDependencies": {
    "@types/escape-html": "^1.0.1",
    "@types/express": "^4.17.13",
+    "@types/express-brute": "^1.0.1",
    "@types/express-busboy": "^8.0.0",
    "@types/ffmpeg-static": "^3.0.0",
    "@types/fs-extra": "^9.0.12",
--- a/src/ass.ts
+++ b/src/ass.ts
@ -58,6 +58,24 @@ app.disable('x-powered-by');
 app.set('trust proxy', isProxied);
 app.set('view engine', 'pug');

+// Rate limiting using express-brute
+// ! Notice !
+// The rate limiting used here is very trivial and should be used with caution.
+// I plan to improve this in the future somehow (possibly with redis, who knows).
+// - tycrek, 2022-08-18
+// todo: fix this eventually
+import ExpressBrute from 'express-brute';
+const bruteforce = new ExpressBrute(new ExpressBrute.MemoryStore(), {
+	freeRetries: 50,
+	minWait: 50, // 50ms
+	maxWait: 500, // 500ms
+	lifetime: 5, // 5 seconds
+	failCallback: (req, res, next, nextValidRequestDate) => res.sendStatus(429),
+});
+
+// Routes to protect
+app.get(['/'], bruteforce.prevent, (req, res, next) => next());
+
 // Express logger middleware
 app.use(log.middleware());