From 7df3ca7388954ee43db28725092e3260f1f23d98 Mon Sep 17 00:00:00 2001 From: syuilo Date: Sat, 14 Jan 2023 15:59:15 +0900 Subject: [PATCH] enhance(server): add rate limits for some endpoints --- CHANGELOG.md | 1 + .../backend/src/server/api/endpoints/blocking/create.ts | 4 ++-- .../backend/src/server/api/endpoints/channels/create.ts | 6 ++++++ .../backend/src/server/api/endpoints/clips/add-note.ts | 8 +++++++- packages/backend/src/server/api/endpoints/mute/create.ts | 8 +++++++- .../src/server/api/endpoints/notes/favorites/create.ts | 6 ++++++ .../backend/src/server/api/endpoints/users/lists/push.ts | 6 ++++++ 7 files changed, 35 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c13d11b0a..48dc6ff92 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -83,6 +83,7 @@ You should also include the user name that made the change. - Server: Judge instance block by endsWith @tamaina - Server: improve note scoring for featured notes @CyberRex0 - Server: アンケート選択肢の文字数制限を緩和 @syuilo +- Server: add rate limits for some endpoints @syuilo - Server: improve stats api performance @syuilo - Server: improve nodeinfo performance @syuilo - Server: delete outdated notifications regularly to improve db performance @syuilo diff --git a/packages/backend/src/server/api/endpoints/blocking/create.ts b/packages/backend/src/server/api/endpoints/blocking/create.ts index c468010bc..d9ba99f20 100644 --- a/packages/backend/src/server/api/endpoints/blocking/create.ts +++ b/packages/backend/src/server/api/endpoints/blocking/create.ts @@ -5,15 +5,15 @@ import type { UsersRepository, BlockingsRepository } from '@/models/index.js'; import { UserEntityService } from '@/core/entities/UserEntityService.js'; import { UserBlockingService } from '@/core/UserBlockingService.js'; import { DI } from '@/di-symbols.js'; -import { ApiError } from '../../error.js'; import { GetterService } from '@/server/api/GetterService.js'; +import { ApiError } from '../../error.js'; export const meta = { tags: ['account'], limit: { duration: ms('1hour'), - max: 100, + max: 20, }, requireCredential: true, diff --git a/packages/backend/src/server/api/endpoints/channels/create.ts b/packages/backend/src/server/api/endpoints/channels/create.ts index 10f8b2462..dff8a9d10 100644 --- a/packages/backend/src/server/api/endpoints/channels/create.ts +++ b/packages/backend/src/server/api/endpoints/channels/create.ts @@ -1,4 +1,5 @@ import { Inject, Injectable } from '@nestjs/common'; +import ms from 'ms'; import { Endpoint } from '@/server/api/endpoint-base.js'; import type { ChannelsRepository, DriveFilesRepository } from '@/models/index.js'; import type { Channel } from '@/models/entities/Channel.js'; @@ -14,6 +15,11 @@ export const meta = { kind: 'write:channels', + limit: { + duration: ms('1hour'), + max: 10, + }, + res: { type: 'object', optional: false, nullable: false, diff --git a/packages/backend/src/server/api/endpoints/clips/add-note.ts b/packages/backend/src/server/api/endpoints/clips/add-note.ts index a242124e6..c5ac4f22d 100644 --- a/packages/backend/src/server/api/endpoints/clips/add-note.ts +++ b/packages/backend/src/server/api/endpoints/clips/add-note.ts @@ -1,10 +1,11 @@ import { Inject, Injectable } from '@nestjs/common'; +import ms from 'ms'; import { Endpoint } from '@/server/api/endpoint-base.js'; import { IdService } from '@/core/IdService.js'; import { DI } from '@/di-symbols.js'; import type { ClipNotesRepository, ClipsRepository } from '@/models/index.js'; -import { ApiError } from '../../error.js'; import { GetterService } from '@/server/api/GetterService.js'; +import { ApiError } from '../../error.js'; export const meta = { tags: ['account', 'notes', 'clips'], @@ -13,6 +14,11 @@ export const meta = { kind: 'write:account', + limit: { + duration: ms('1hour'), + max: 20, + }, + errors: { noSuchClip: { message: 'No such clip.', diff --git a/packages/backend/src/server/api/endpoints/mute/create.ts b/packages/backend/src/server/api/endpoints/mute/create.ts index 5ead47031..9099eea52 100644 --- a/packages/backend/src/server/api/endpoints/mute/create.ts +++ b/packages/backend/src/server/api/endpoints/mute/create.ts @@ -1,12 +1,13 @@ import { Inject, Injectable } from '@nestjs/common'; +import ms from 'ms'; import { Endpoint } from '@/server/api/endpoint-base.js'; import { IdService } from '@/core/IdService.js'; import type { MutingsRepository } from '@/models/index.js'; import type { Muting } from '@/models/entities/Muting.js'; import { GlobalEventService } from '@/core/GlobalEventService.js'; import { DI } from '@/di-symbols.js'; -import { ApiError } from '../../error.js'; import { GetterService } from '@/server/api/GetterService.js'; +import { ApiError } from '../../error.js'; export const meta = { tags: ['account'], @@ -15,6 +16,11 @@ export const meta = { kind: 'write:mutes', + limit: { + duration: ms('1hour'), + max: 20, + }, + errors: { noSuchUser: { message: 'No such user.', diff --git a/packages/backend/src/server/api/endpoints/notes/favorites/create.ts b/packages/backend/src/server/api/endpoints/notes/favorites/create.ts index e742c1bb3..acf22a5ad 100644 --- a/packages/backend/src/server/api/endpoints/notes/favorites/create.ts +++ b/packages/backend/src/server/api/endpoints/notes/favorites/create.ts @@ -1,4 +1,5 @@ import { Inject, Injectable } from '@nestjs/common'; +import ms from 'ms'; import type { NoteFavoritesRepository } from '@/models/index.js'; import { IdService } from '@/core/IdService.js'; import { Endpoint } from '@/server/api/endpoint-base.js'; @@ -13,6 +14,11 @@ export const meta = { kind: 'write:favorites', + limit: { + duration: ms('1hour'), + max: 20, + }, + errors: { noSuchNote: { message: 'No such note.', diff --git a/packages/backend/src/server/api/endpoints/users/lists/push.ts b/packages/backend/src/server/api/endpoints/users/lists/push.ts index c3a130828..96be7e11e 100644 --- a/packages/backend/src/server/api/endpoints/users/lists/push.ts +++ b/packages/backend/src/server/api/endpoints/users/lists/push.ts @@ -1,4 +1,5 @@ import { Inject, Injectable } from '@nestjs/common'; +import ms from 'ms'; import type { UserListsRepository, UserListJoiningsRepository, BlockingsRepository } from '@/models/index.js'; import { Endpoint } from '@/server/api/endpoint-base.js'; import { GetterService } from '@/server/api/GetterService.js'; @@ -15,6 +16,11 @@ export const meta = { description: 'Add a user to an existing list.', + limit: { + duration: ms('1hour'), + max: 30, + }, + errors: { noSuchList: { message: 'No such list.',