Browse Source

Apply global rate-limit to Stripe donate endpoint

People are still continuing to try to abuse the donate page to check
stolen credit card numbers, and last night there was a massive burst of
attempts coming from many IPs, so the current rate-limiting wasn't able
to block most of it. Luckily Stripe blocked all of the charges this
time, but I can't keep risking another incident where Tildes is the
source of a bunch of fraudulent charges.

This adds a global rate-limit to the donate page that should never get
hit during normal usage. Hopefully this will be enough to keep the abuse
away from the page when it stops working for them relatively quickly.
merge-requests/126/merge
Deimos 4 years ago
parent
commit
e685639e84
  1. 3
      tildes/tildes/lib/ratelimit.py
  2. 1
      tildes/tildes/views/donate.py

3
tildes/tildes/lib/ratelimit.py

@ -308,6 +308,9 @@ _RATE_LIMITED_ACTIONS = (
RateLimitedAction("topic_post", timedelta(hours=4), 10, max_burst=4), RateLimitedAction("topic_post", timedelta(hours=4), 10, max_burst=4),
RateLimitedAction("comment_post", timedelta(hours=1), 10, max_burst=5), RateLimitedAction("comment_post", timedelta(hours=1), 10, max_burst=5),
RateLimitedAction("donate_stripe", timedelta(hours=1), 5, by_user=False), RateLimitedAction("donate_stripe", timedelta(hours=1), 5, by_user=False),
RateLimitedAction(
"global_donate_stripe", timedelta(hours=1), 20, by_user=False, by_ip=False
),
) )
# (public) dict to be able to look up the actions by name # (public) dict to be able to look up the actions by name

1
tildes/tildes/views/donate.py

@ -41,6 +41,7 @@ def get_donate_stripe(request: Request) -> dict:
}, },
location="form", location="form",
) )
@rate_limit_view("global_donate_stripe")
@rate_limit_view("donate_stripe") @rate_limit_view("donate_stripe")
def post_donate_stripe( def post_donate_stripe(
request: Request, amount: int, currency: str, interval: str request: Request, amount: int, currency: str, interval: str

Loading…
Cancel
Save