3
0
mirror of https://github.com/ergochat/ergo.git synced 2025-04-01 21:36:51 +02:00

block HTTP DoS attacks (#2239)

Block uses of the JS Fetch API to send HTTP message bodies that are also valid
IRC. The constraint on such messages is that they must begin with a valid HTTP
verb; we can detect this and reject them immediately.
This commit is contained in:
Shivaram Lingamneni 2025-03-30 21:33:06 -04:00 committed by GitHub
parent 9791606f62
commit a6df370bd9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 7 additions and 1 deletions

View File

@ -727,8 +727,12 @@ func (client *Client) run(session *Session) {
}
session.fakelag.Touch(command)
} else {
// DoS hardening, #505
if session.registrationMessages == 0 && httpVerbs.Has(msg.Command) {
client.Send(nil, client.server.name, ERR_UNKNOWNERROR, msg.Command, "This is not an HTTP server")
break
}
session.registrationMessages++
// DoS hardening, #505
if client.server.Config().Limits.RegistrationMessages < session.registrationMessages {
client.Send(nil, client.server.name, ERR_UNKNOWNERROR, "*", client.t("You have sent too many registration messages"))
break

View File

@ -63,6 +63,8 @@ var (
chanTypes = "#"
throttleMessage = "You have attempted to connect too many times within a short duration. Wait a while, and you will be able to connect."
httpVerbs = utils.SetLiteral("CONNECT", "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT", "TRACE")
)
// Server is the main Oragono server.