Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rate limit github-auth endpoints #1805

Closed
LVMBDV opened this issue Jul 25, 2018 · 6 comments
Closed

Rate limit github-auth endpoints #1805

LVMBDV opened this issue Jul 25, 2018 · 6 comments
Labels
core Server, BaseService, GitHub auth, Shared helpers

Comments

@LVMBDV
Copy link

LVMBDV commented Jul 25, 2018

I noticed this issue while I was working on #541. OAuth web application flows require a randomly generated state parameter to authenticate callback (redirection) requests from the client. Without this security check, adversaries can orchestrate a denial of service attack using the callback endpoint. For more info see:

TL;DR:

20180725202313

@paulmelnikow
Copy link
Member

Just emailed you; thanks.

@paulmelnikow
Copy link
Member

Clarified offline that this is low severity. We should still fix it quickly. 😬

@paulmelnikow paulmelnikow added bug Bugs in badges and the frontend core Server, BaseService, GitHub auth, Shared helpers labels Jul 25, 2018
@paulmelnikow
Copy link
Member

It's not clear how to fix this. The state is exposed to the client; it's not a secret. We don't preserve any state between requests, and any state we did preserve would need to be shared between three servers. That's the least of it, really. The /github-auth endpoint hands out these strings. Since we don't authenticate those requests, it's not clear the state can do anything to help.

We could consider a rate limit.

@paulmelnikow paulmelnikow removed the bug Bugs in badges and the frontend label Jul 25, 2018
@LVMBDV
Copy link
Author

LVMBDV commented Jul 26, 2018

In my opinion, this and the token pool solidifies the need for separate state storage such as a key-value database like Redis.

We could consider a rate limit.

That's like demolishing a building so terrorists can't blow it up.

@paulmelnikow
Copy link
Member

How would state storage solve the problem? If one endpoint gives out tokens as fast as you want, and another consumes them, it doesn’t matter whether they are single use or not.

It’s more like putting a fence around it. We probably could limit to one token per 30 sec per IP, and 5 per 30 seconds overall, without much inconvenience to anyone.

@LVMBDV
Copy link
Author

LVMBDV commented Jul 26, 2018

You're right, rate-limiting the auth endpoint makes sense.

@paulmelnikow paulmelnikow changed the title CSRF in github-auth Rate limit github-auth endpoints Jan 4, 2019
@LVMBDV LVMBDV closed this as completed Nov 23, 2024
jNullj added a commit to jNullj/shields-fun-fork that referenced this issue Nov 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
core Server, BaseService, GitHub auth, Shared helpers
Projects
None yet
Development

No branches or pull requests

2 participants