External/ergo
1
0
Fork 1
mirror of https://github.com/ergochat/ergo.git synced 2025-12-20 02:00:11 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

block HTTP DoS attacks (#2239)
Some checks failed
build / build (push) Has been cancelled
Details
ghcr / Build (push) Has been cancelled
Details

Browse source 
Block uses of the JS Fetch API to send HTTP message bodies that are also valid
IRC. The constraint on such messages is that they must begin with a valid HTTP
verb; we can detect this and reject them immediately.
This commit is contained in:
Shivaram Lingamneni 2025-03-30 21:33:06 -04:00 committed by GitHub
parent 9791606f62
commit a6df370bd9
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 7 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
irc/client.go
View file

@ -727,8 +727,12 @@ func (client *Client) run(session *Session) {
} }
session.fakelag.Touch(command) session.fakelag.Touch(command)
} else { } else {
// DoS hardening, #505 if session.registrationMessages == 0 && httpVerbs.Has(msg.Command) {
client.Send(nil, client.server.name, ERR_UNKNOWNERROR, msg.Command, "This is not an HTTP server")
break
}
session.registrationMessages++ session.registrationMessages++
// DoS hardening, #505
if client.server.Config().Limits.RegistrationMessages < session.registrationMessages { if client.server.Config().Limits.RegistrationMessages < session.registrationMessages {
client.Send(nil, client.server.name, ERR_UNKNOWNERROR, "*", client.t("You have sent too many registration messages")) client.Send(nil, client.server.name, ERR_UNKNOWNERROR, "*", client.t("You have sent too many registration messages"))
break break

2
irc/server.go
View file

@ -63,6 +63,8 @@ var (
chanTypes = "#" chanTypes = "#"
throttleMessage = "You have attempted to connect too many times within a short duration. Wait a while, and you will be able to connect." throttleMessage = "You have attempted to connect too many times within a short duration. Wait a while, and you will be able to connect."
httpVerbs = utils.SetLiteral("CONNECT", "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT", "TRACE")
) )
// Server is the main Oragono server. // Server is the main Oragono server.