Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Add brute force protection to form endpoints #2269

Merged
merged 3 commits into from
Jan 23, 2025
Merged

fix: Add brute force protection to form endpoints #2269

merged 3 commits into from
Jan 23, 2025

Conversation

susnux
Copy link
Collaborator

@susnux susnux commented Aug 7, 2024

Endpoints that query for forms are now protected against brute force attacks to find valid forms, invalid hashes or IDs.

@susnux susnux added bug Something isn't working 3. to review Waiting for reviews labels Aug 7, 2024
@susnux susnux added this to the 4.3 milestone Aug 7, 2024
@susnux susnux requested review from Koc and Chartman123 August 7, 2024 09:30
@codecov Codecov
Copy link

codecov bot commented Aug 7, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 46.00000% with 27 lines in your changes missing coverage. Please review.

Project coverage is 43.40%. Comparing base (6ee4774) to head (4203396).
Report is 16 commits behind head on main.

Additional details and impacted files 
@@             Coverage Diff              @@
##               main    #2269      +/-   ##
============================================
- Coverage     43.40%   43.40%   -0.01%     
- Complexity      881      882       +1     
============================================
  Files            75       77       +2     
  Lines          3361     3359       -2     
============================================
- Hits           1459     1458       -1     
+ Misses         1902     1901       -1

@Chartman123
Copy link
Collaborator

Could you perhaps base this on my api PR?

@Chartman123 Chartman123 modified the milestones: 4.3, 5.0 Sep 29, 2024
@Chartman123
Copy link
Collaborator

@susnux thanks to @provokateurin we could finally merge the OpenAPI PR, so I think that you can now go on with this PR and base it on the current main

@susnux
Copy link
Collaborator Author

susnux commented Jan 17, 2025

@Chartman123 rebased and adjusted to the new controller

@susnux
fix: Add brute force protection to form endpoints
13870cd 
Endpoints that query for forms are now protected against brute force
attacks to find valid forms, invalid hashes or IDs.

Signed-off-by: Ferdinand Thiessen <[email protected]>
@Chartman123
Copy link
Collaborator

Should we add the brute force protection to the page controller for public share hashes too?

provokateurin
provokateurin reviewed Jan 20, 2025
View reviewed changes
Copy link
Member

@provokateurin provokateurin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good, but I have little knowledge about the Forms app, so I have to leave it to someone else.

@susnux @Chartman123
fixup
4203396 
Co-authored-by: Christian Hartmann <[email protected]>
Signed-off-by: Ferdinand Thiessen <[email protected]>
@susnux susnux requested a review from Chartman123 January 20, 2025 11:31
Chartman123
Chartman123 approved these changes Jan 20, 2025
View reviewed changes
Copy link
Collaborator

@Chartman123 Chartman123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be fine now :) Just squash the commits and then we're good to go. And we can add the protection in the PageController in a follow-up :)

@susnux susnux merged commit 6b8fdad into main Jan 23, 2025
54 checks passed
@susnux susnux deleted the fix/sec-get-form branch January 23, 2025 07:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@provokateurin provokateurin provokateurin left review comments

@Chartman123 Chartman123 Chartman123 approved these changes

@Koc Koc Awaiting requested review from Koc

Assignees
No one assigned
Labels
3. to review Waiting for reviews bug Something isn't working
Projects
None yet
Milestone
5.0
Development

Successfully merging this pull request may close these issues.
3 participants
@susnux @Chartman123 @provokateurin