mirror of
https://github.com/superseriousbusiness/gotosocial.git
synced 2025-10-28 20:02:24 -05:00
b012a81f66
# Description > If this is a code change, please include a summary of what you've coded, and link to the issue(s) it closes/implements. > > If this is a documentation change, please briefly describe what you've changed and why. Fixes a panic when clientIP cannot be parsed in the rate limiting middleware, and warn logs the derived clientIP and a hint that reverse proxy may be misconfigured. Closes https://codeberg.org/superseriousbusiness/gotosocial/issues/4479 ## Checklist Please put an x inside each checkbox to indicate that you've read and followed it: `[ ]` -> `[x]` If this is a documentation change, only the first checkbox must be filled (you can delete the others if you want). - [x] I/we have read the [GoToSocial contribution guidelines](https://codeberg.org/superseriousbusiness/gotosocial/src/branch/main/CONTRIBUTING.md). - [x] I/we have discussed the proposed changes already, either in an issue on the repository, or in the Matrix chat. - [x] I/we have not leveraged AI to create the proposed changes. - [x] I/we have performed a self-review of added code. - [x] I/we have written code that is legible and maintainable by others. - [x] I/we have commented the added code, particularly in hard-to-understand areas. - [ ] I/we have made any necessary changes to documentation. - [ ] I/we have added tests that cover new code. - [x] I/we have run tests and they pass locally with the changes. - [x] I/we have run `go fmt ./...` and `golangci-lint run`. Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4481 Co-authored-by: tobi <tobi.smethurst@protonmail.com> Co-committed-by: tobi <tobi.smethurst@protonmail.com>
167 lines
4.9 KiB
Go
167 lines
4.9 KiB
Go
// GoToSocial
|
|
// Copyright (C) GoToSocial Authors admin@gotosocial.org
|
|
// SPDX-License-Identifier: AGPL-3.0-or-later
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
package middleware
|
|
|
|
import (
|
|
"net"
|
|
"net/http"
|
|
"net/netip"
|
|
"strconv"
|
|
"time"
|
|
|
|
"code.superseriousbusiness.org/gotosocial/internal/gtserror"
|
|
"code.superseriousbusiness.org/gotosocial/internal/log"
|
|
"code.superseriousbusiness.org/gotosocial/internal/util"
|
|
"github.com/gin-gonic/gin"
|
|
"github.com/ulule/limiter/v3"
|
|
"github.com/ulule/limiter/v3/drivers/store/memory"
|
|
|
|
apiutil "code.superseriousbusiness.org/gotosocial/internal/api/util"
|
|
)
|
|
|
|
const rateLimitPeriod = 5 * time.Minute
|
|
|
|
// RateLimit returns a gin middleware that will automatically rate
|
|
// limit caller (by IP address), and enrich the response header with
|
|
// the following headers:
|
|
//
|
|
// - `X-Ratelimit-Limit` - max requests allowed per time period (fixed).
|
|
// - `X-Ratelimit-Remaining` - requests remaining for this IP before reset.
|
|
// - `X-Ratelimit-Reset` - ISO8601 timestamp when the rate limit will reset.
|
|
//
|
|
// If `X-Ratelimit-Limit` is exceeded, the request is aborted and an
|
|
// HTTP 429 TooManyRequests status is returned.
|
|
//
|
|
// If the config AdvancedRateLimitRequests value is <= 0, then a noop
|
|
// handler will be returned, which performs no rate limiting.
|
|
func RateLimit(limit int, except []netip.Prefix) gin.HandlerFunc {
|
|
if limit <= 0 {
|
|
// Rate limiting is disabled.
|
|
// Return noop middleware.
|
|
return func(ctx *gin.Context) {}
|
|
}
|
|
|
|
limiter := limiter.New(
|
|
memory.NewStore(),
|
|
limiter.Rate{
|
|
Period: rateLimitPeriod,
|
|
Limit: int64(limit),
|
|
},
|
|
)
|
|
|
|
// It's prettymuch impossible to effectively
|
|
// rate limit the immense IPv6 address space
|
|
// unless we mask some of the bytes.
|
|
//
|
|
// This mask is pretty coarse, and puts IPv6
|
|
// blocking on more or less the same footing
|
|
// as IPv4 blocking in terms of how likely it
|
|
// is to prevent abuse while still allowing
|
|
// legit users access to the service.
|
|
ipv6Mask := net.CIDRMask(64, 128)
|
|
|
|
return func(c *gin.Context) {
|
|
// Use Gin's heuristic for determining
|
|
// clientIP, which accounts for reverse
|
|
// proxies and trusted proxies setting.
|
|
clientIP := c.ClientIP()
|
|
|
|
// ClientIP must be parseable.
|
|
ip, err := netip.ParseAddr(clientIP)
|
|
if err != nil {
|
|
log.Warnf(
|
|
c.Request.Context(),
|
|
"cannot do rate limiting for this request as client IP %s could not be parsed;"+
|
|
" your upstream reverse proxy may be misconfigured: %v",
|
|
err,
|
|
)
|
|
c.Next()
|
|
return
|
|
}
|
|
|
|
// Check if this IP is exempt from rate
|
|
// limits and skip further checks if so.
|
|
for _, prefix := range except {
|
|
if prefix.Contains(ip) {
|
|
c.Next()
|
|
return
|
|
}
|
|
}
|
|
|
|
if ip.Is6() {
|
|
// Convert to "net" package IP for mask.
|
|
asIP := net.IP(ip.AsSlice())
|
|
|
|
// Apply coarse IPv6 mask.
|
|
asIP = asIP.Mask(ipv6Mask)
|
|
|
|
// Convert back to netip.Addr from net.IP.
|
|
ip, _ = netip.AddrFromSlice(asIP)
|
|
}
|
|
|
|
// Fetch rate limit info for this (masked) clientIP.
|
|
context, err := limiter.Get(c, ip.String())
|
|
if err != nil {
|
|
// Since we use an in-memory cache now,
|
|
// it's actually impossible for this to
|
|
// error, but handle it nicely anyway in
|
|
// case we switch implementation in future.
|
|
errWithCode := gtserror.NewErrorInternalError(err)
|
|
|
|
// Set error on gin context so it'll
|
|
// be picked up by logging middleware.
|
|
c.Error(errWithCode) //nolint:errcheck
|
|
|
|
// Bail with 500.
|
|
c.AbortWithStatusJSON(
|
|
errWithCode.Code(),
|
|
gin.H{"error": errWithCode.Safe()},
|
|
)
|
|
return
|
|
}
|
|
|
|
// Provide reset in same format used by
|
|
// Mastodon. There's no real standard as
|
|
// to what format X-RateLimit-Reset SHOULD
|
|
// use, but since most clients interacting
|
|
// with us will expect the Mastodon version,
|
|
// it makes sense to take this.
|
|
resetT := time.Unix(context.Reset, 0)
|
|
reset := util.FormatISO8601(resetT)
|
|
|
|
c.Header("X-RateLimit-Limit", strconv.FormatInt(context.Limit, 10))
|
|
c.Header("X-RateLimit-Remaining", strconv.FormatInt(context.Remaining, 10))
|
|
c.Header("X-RateLimit-Reset", reset)
|
|
|
|
if context.Reached {
|
|
// Return JSON error message for
|
|
// consistency with other endpoints.
|
|
apiutil.Data(c,
|
|
http.StatusTooManyRequests,
|
|
apiutil.AppJSON,
|
|
apiutil.ErrorRateLimited,
|
|
)
|
|
c.Abort()
|
|
return
|
|
}
|
|
|
|
// Allow the request
|
|
// to continue.
|
|
c.Next()
|
|
}
|
|
}
|