rate_limiter: Rate limit the /new/ endpoint.

2025-11-04 05:53:43 +00:00 · 2021-07-19 20:31:09 +02:00
parent 4418aefde4
commit 1c64bed8e4
4 changed files with 18 additions and 1 deletions
--- a/zerver/tests/test_external.py
+++ b/zerver/tests/test_external.py
@@ -172,6 +172,17 @@ class RateLimitTests(ZulipTestCase):
            # even in case of failure, to avoid polluting the rules state.
            remove_ratelimit_rule(1, 5, domain="api_by_ip")

+    def test_create_realm_rate_limiting(self) -> None:
+        with self.settings(OPEN_REALM_CREATION=True):
+            add_ratelimit_rule(1, 5, domain="create_realm_by_ip")
+            try:
+                RateLimitedIPAddr("127.0.0.1").clear_history()
+                self.do_test_hit_ratelimits(
+                    lambda: self.client_post("/new/", {"email": "new@zulip.com"})
+                )
+            finally:
+                remove_ratelimit_rule(1, 5, domain="create_realm_by_ip")
+
    @skipUnless(settings.ZILENCER_ENABLED, "requires zilencer")
    def test_hit_ratelimits_as_remote_server(self) -> None:
        add_ratelimit_rule(1, 5, domain="api_by_remote_server")
--- a/zerver/views/registration.py
+++ b/zerver/views/registration.py
@@ -26,7 +26,7 @@ from confirmation.models import (
    validate_key,
 )
 from zerver.context_processors import get_realm_from_request, login_context
-from zerver.decorator import do_login, require_post
+from zerver.decorator import do_login, rate_limit_request_by_ip, require_post
 from zerver.forms import (
    FindMyTeamForm,
    HomepageForm,
@@ -590,6 +590,8 @@ def create_realm(request: HttpRequest, creation_key: Optional[str] = None) -> Ht
    if request.method == "POST":
        form = RealmCreationForm(request.POST)
        if form.is_valid():
+            rate_limit_request_by_ip(request, domain="create_realm_by_ip")
+
            email = form.cleaned_data["email"]
            activation_url = prepare_activation_url(email, request, realm_creation=True)
            if key_record is not None and key_record.presume_email_valid:
--- a/zproject/computed_settings.py
+++ b/zproject/computed_settings.py
@@ -384,6 +384,9 @@ RATE_LIMITING_RULES = {
    "authenticate_by_username": [
        (1800, 5),  # 5 login attempts within 30 minutes
    ],
+    "create_realm_by_ip": [
+        (1800, 5),
+    ],
    "password_reset_form_by_email": [
        (3600, 2),  # 2 reset emails per hour
        (86400, 5),  # 5 per day
--- a/zproject/test_extra_settings.py
+++ b/zproject/test_extra_settings.py
@@ -264,6 +264,7 @@ RATE_LIMITING_RULES: Dict[str, List[Tuple[int, int]]] = {
    "api_by_ip": [],
    "api_by_remote_server": [],
    "authenticate_by_username": [],
+    "create_realm_by_ip": [],
    "password_reset_form_by_email": [],
 }