From e34a980106a6960c69c331158f8ffad9f9c89805 Mon Sep 17 00:00:00 2001 From: tycrek Date: Thu, 18 Aug 2022 16:53:35 -0600 Subject: [PATCH] Added shitty basic rate limiting (CodeQL) --- package-lock.json | 61 +++++++++++++++++++++++++++++++++++++++++++++++ package.json | 2 ++ src/ass.ts | 18 ++++++++++++++ 3 files changed, 81 insertions(+) diff --git a/package-lock.json b/package-lock.json index 280dcda..ce0343c 100755 --- a/package-lock.json +++ b/package-lock.json @@ -25,6 +25,7 @@ "discord-webhook-node": "^1.1.8", "escape-html": "^1.0.3", "express": "^4.17.3", + "express-brute": "^1.0.1", "express-busboy": "^8.0.2", "ffmpeg-static": "^4.4.0", "fs-extra": "^10.0.1", @@ -46,6 +47,7 @@ "devDependencies": { "@types/escape-html": "^1.0.1", "@types/express": "^4.17.13", + "@types/express-brute": "^1.0.1", "@types/express-busboy": "^8.0.0", "@types/ffmpeg-static": "^3.0.0", "@types/fs-extra": "^9.0.12", @@ -512,6 +514,15 @@ "@types/serve-static": "*" } }, + "node_modules/@types/express-brute": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/@types/express-brute/-/express-brute-1.0.1.tgz", + "integrity": "sha512-rG4YWh+tIDvwupiPwuLaz0fEpFE7ShLOX59ZdejMQ4jYlshmxtN5KjB7VFGsggk4TmeVnoHF7QrwLwan2wj8cg==", + "dev": true, + "dependencies": { + "@types/express": "*" + } + }, "node_modules/@types/express-busboy": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/@types/express-busboy/-/express-busboy-8.0.0.tgz", @@ -2131,6 +2142,18 @@ "node": ">= 0.10.0" } }, + "node_modules/express-brute": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/express-brute/-/express-brute-1.0.1.tgz", + "integrity": "sha512-ieZmwox3oIZdQCVjvvnwQvrKQumWdb/JjmC9mWplF42AuHCBXr6Yk/I+nLTRQx+9F+2aapOW9kYLwA6xIlwA9g==", + "dependencies": { + "long-timeout": "~0.1.1", + "underscore": "~1.8.3" + }, + "peerDependencies": { + "express": "4.x" + } + }, "node_modules/express-busboy": { "version": "8.0.2", "resolved": "https://registry.npmjs.org/express-busboy/-/express-busboy-8.0.2.tgz", @@ -2968,6 +2991,11 @@ "lodash._baseuniq": "~4.6.0" } }, + "node_modules/long-timeout": { + "version": "0.1.1", + "resolved": "https://registry.npmjs.org/long-timeout/-/long-timeout-0.1.1.tgz", + "integrity": "sha512-BFRuQUqc7x2NWxfJBCyUrN8iYUYznzL9JROmRz1gZ6KlOIgmoD+njPVbb+VNn2nGMKggMsK79iUNErillsrx7w==" + }, "node_modules/lru-cache": { "version": "6.0.0", "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz", @@ -5204,6 +5232,11 @@ "node": ">=4.2.0" } }, + "node_modules/underscore": { + "version": "1.8.3", + "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.8.3.tgz", + "integrity": "sha512-5WsVTFcH1ut/kkhAaHf4PVgI8c7++GiVcpCGxPouI6ZVjsqPnSDf8h/8HtVqc0t4fzRXwnMK70EcZeAs3PIddg==" + }, "node_modules/universalify": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/universalify/-/universalify-2.0.0.tgz", @@ -5859,6 +5892,15 @@ "@types/serve-static": "*" } }, + "@types/express-brute": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/@types/express-brute/-/express-brute-1.0.1.tgz", + "integrity": "sha512-rG4YWh+tIDvwupiPwuLaz0fEpFE7ShLOX59ZdejMQ4jYlshmxtN5KjB7VFGsggk4TmeVnoHF7QrwLwan2wj8cg==", + "dev": true, + "requires": { + "@types/express": "*" + } + }, "@types/express-busboy": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/@types/express-busboy/-/express-busboy-8.0.0.tgz", @@ -7128,6 +7170,15 @@ "vary": "~1.1.2" } }, + "express-brute": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/express-brute/-/express-brute-1.0.1.tgz", + "integrity": "sha512-ieZmwox3oIZdQCVjvvnwQvrKQumWdb/JjmC9mWplF42AuHCBXr6Yk/I+nLTRQx+9F+2aapOW9kYLwA6xIlwA9g==", + "requires": { + "long-timeout": "~0.1.1", + "underscore": "~1.8.3" + } + }, "express-busboy": { "version": "8.0.2", "resolved": "https://registry.npmjs.org/express-busboy/-/express-busboy-8.0.2.tgz", @@ -7787,6 +7838,11 @@ "lodash._baseuniq": "~4.6.0" } }, + "long-timeout": { + "version": "0.1.1", + "resolved": "https://registry.npmjs.org/long-timeout/-/long-timeout-0.1.1.tgz", + "integrity": "sha512-BFRuQUqc7x2NWxfJBCyUrN8iYUYznzL9JROmRz1gZ6KlOIgmoD+njPVbb+VNn2nGMKggMsK79iUNErillsrx7w==" + }, "lru-cache": { "version": "6.0.0", "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz", @@ -9373,6 +9429,11 @@ "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.6.3.tgz", "integrity": "sha512-yNIatDa5iaofVozS/uQJEl3JRWLKKGJKh6Yaiv0GLGSuhpFJe7P3SbHZ8/yjAHRQwKRoA6YZqlfjXWmVzoVSMw==" }, + "underscore": { + "version": "1.8.3", + "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.8.3.tgz", + "integrity": "sha512-5WsVTFcH1ut/kkhAaHf4PVgI8c7++GiVcpCGxPouI6ZVjsqPnSDf8h/8HtVqc0t4fzRXwnMK70EcZeAs3PIddg==" + }, "universalify": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/universalify/-/universalify-2.0.0.tgz", diff --git a/package.json b/package.json index 1a440fa..c7d6833 100644 --- a/package.json +++ b/package.json @@ -54,6 +54,7 @@ "discord-webhook-node": "^1.1.8", "escape-html": "^1.0.3", "express": "^4.17.3", + "express-brute": "^1.0.1", "express-busboy": "^8.0.2", "ffmpeg-static": "^4.4.0", "fs-extra": "^10.0.1", @@ -75,6 +76,7 @@ "devDependencies": { "@types/escape-html": "^1.0.1", "@types/express": "^4.17.13", + "@types/express-brute": "^1.0.1", "@types/express-busboy": "^8.0.0", "@types/ffmpeg-static": "^3.0.0", "@types/fs-extra": "^9.0.12", diff --git a/src/ass.ts b/src/ass.ts index ec505d0..f012d15 100644 --- a/src/ass.ts +++ b/src/ass.ts @@ -58,6 +58,24 @@ app.disable('x-powered-by'); app.set('trust proxy', isProxied); app.set('view engine', 'pug'); +// Rate limiting using express-brute +// ! Notice ! +// The rate limiting used here is very trivial and should be used with caution. +// I plan to improve this in the future somehow (possibly with redis, who knows). +// - tycrek, 2022-08-18 +// todo: fix this eventually +import ExpressBrute from 'express-brute'; +const bruteforce = new ExpressBrute(new ExpressBrute.MemoryStore(), { + freeRetries: 50, + minWait: 50, // 50ms + maxWait: 500, // 500ms + lifetime: 5, // 5 seconds + failCallback: (req, res, next, nextValidRequestDate) => res.sendStatus(429), +}); + +// Routes to protect +app.get(['/'], bruteforce.prevent, (req, res, next) => next()); + // Express logger middleware app.use(log.middleware());