rate_limit: Restrict tornado backend to explicitly specified domains.

This will protect us in case of some kinds of bugs that could allow making requests such as password authentication attempts to tornado. Without restricting the domains to which the in-memory backend can be applied, such bugs would lead to attackers having multiple times larger rate limits for these sensitive requests.
2025-10-30 03:23:50 +00:00 · 2020-05-25 21:50:07 +02:00
parent ad99bba121
commit 13c3eaf086
3 changed files with 17 additions and 4 deletions
--- a/zerver/lib/rate_limiter.py
+++ b/zerver/lib/rate_limiter.py
@@ -32,8 +32,6 @@ class RateLimitedObject(ABC):
    def __init__(self, backend: Optional['Type[RateLimiterBackend]']=None) -> None:
        if backend is not None:
            self.backend: Type[RateLimiterBackend] = backend
-        elif settings.RUNNING_INSIDE_TORNADO:
-            self.backend = TornadoInMemoryRateLimiterBackend
        else:
            self.backend = RedisRateLimiterBackend

@@ -111,7 +109,11 @@ class RateLimitedUser(RateLimitedObject):
    def __init__(self, user: UserProfile, domain: str='api_by_user') -> None:
        self.user = user
        self.domain = domain
-        super().__init__()
+        if settings.RUNNING_INSIDE_TORNADO and domain in settings.RATE_LIMITING_DOMAINS_FOR_TORNADO:
+            backend: Optional[Type[RateLimiterBackend]] = TornadoInMemoryRateLimiterBackend
+        else:
+            backend = None
+        super().__init__(backend=backend)

    def key(self) -> str:
        return "{}:{}:{}".format(type(self).__name__, self.user.id, self.domain)