From e685639e84fc13ad5baeb9320f6d0a1f965243e8 Mon Sep 17 00:00:00 2001 From: Deimos Date: Sat, 12 Dec 2020 15:48:38 -0700 Subject: [PATCH] Apply global rate-limit to Stripe donate endpoint People are still continuing to try to abuse the donate page to check stolen credit card numbers, and last night there was a massive burst of attempts coming from many IPs, so the current rate-limiting wasn't able to block most of it. Luckily Stripe blocked all of the charges this time, but I can't keep risking another incident where Tildes is the source of a bunch of fraudulent charges. This adds a global rate-limit to the donate page that should never get hit during normal usage. Hopefully this will be enough to keep the abuse away from the page when it stops working for them relatively quickly. --- tildes/tildes/lib/ratelimit.py | 3 +++ tildes/tildes/views/donate.py | 1 + 2 files changed, 4 insertions(+) diff --git a/tildes/tildes/lib/ratelimit.py b/tildes/tildes/lib/ratelimit.py index 8efa256..9bd7002 100644 --- a/tildes/tildes/lib/ratelimit.py +++ b/tildes/tildes/lib/ratelimit.py @@ -308,6 +308,9 @@ _RATE_LIMITED_ACTIONS = ( RateLimitedAction("topic_post", timedelta(hours=4), 10, max_burst=4), RateLimitedAction("comment_post", timedelta(hours=1), 10, max_burst=5), RateLimitedAction("donate_stripe", timedelta(hours=1), 5, by_user=False), + RateLimitedAction( + "global_donate_stripe", timedelta(hours=1), 20, by_user=False, by_ip=False + ), ) # (public) dict to be able to look up the actions by name diff --git a/tildes/tildes/views/donate.py b/tildes/tildes/views/donate.py index a0dbfcd..96d7743 100644 --- a/tildes/tildes/views/donate.py +++ b/tildes/tildes/views/donate.py @@ -41,6 +41,7 @@ def get_donate_stripe(request: Request) -> dict: }, location="form", ) +@rate_limit_view("global_donate_stripe") @rate_limit_view("donate_stripe") def post_donate_stripe( request: Request, amount: int, currency: str, interval: str