From b950c9107aa4f0bc86d0055d6d806d80cd4e9839 Mon Sep 17 00:00:00 2001 From: Aevann Date: Wed, 24 Apr 2024 14:14:59 +0200 Subject: [PATCH] add 1/second ratelimit to all POST --- files/routes/admin.py | 2 ++ files/routes/chats.py | 4 ++++ files/routes/posts.py | 4 ++++ files/routes/settings.py | 2 ++ files/routes/users.py | 2 ++ 5 files changed, 14 insertions(+) diff --git a/files/routes/admin.py b/files/routes/admin.py index bab779cb0..1978817cd 100644 --- a/files/routes/admin.py +++ b/files/routes/admin.py @@ -1995,6 +1995,8 @@ def change_under_siege(v): return render_template('admin/under_siege.html', v=v, thresholds=thresholds) @app.post("/admin/under_siege") +@limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) @admin_level_required(PERMS['CHANGE_UNDER_SIEGE']) diff --git a/files/routes/chats.py b/files/routes/chats.py index ef839501d..c549a9ca5 100644 --- a/files/routes/chats.py +++ b/files/routes/chats.py @@ -103,6 +103,8 @@ def chat(v, chat_id): @app.post("/chat//name") +@limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) @auth_required @@ -125,6 +127,8 @@ def change_chat_name(v, chat_id): return redirect(f"/chat/{chat.id}") @app.post("/chat//leave") +@limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) @auth_required diff --git a/files/routes/posts.py b/files/routes/posts.py index 4d5ca4151..b2180e53a 100644 --- a/files/routes/posts.py +++ b/files/routes/posts.py @@ -939,6 +939,8 @@ def profile_pin(post_id, v): return abort(404, "Post not found!") @app.post("/post//new") +@limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) @auth_required @@ -961,6 +963,8 @@ def set_new_sort(post_id, v): @app.post("/post//hot") +@limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) @auth_required diff --git a/files/routes/settings.py b/files/routes/settings.py index bae7817a7..cb1f8be18 100644 --- a/files/routes/settings.py +++ b/files/routes/settings.py @@ -42,6 +42,8 @@ def settings_personal(v): return render_template("settings/personal.html", v=v, msg=get_msg(), error=get_error()) @app.post('/settings/remove_background') +@limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) @auth_required diff --git a/files/routes/users.py b/files/routes/users.py index 6e0b4fe36..51206ec07 100644 --- a/files/routes/users.py +++ b/files/routes/users.py @@ -1282,6 +1282,8 @@ def subscribed_posts(v, username): return get_saves_and_subscribes(v, "userpage/posts.html", Subscription, page, False) @app.post("/toggle_pins//") +@limiter.limit('1/second', scope=rpath) +@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) def toggle_pins(hole, sort): if sort == 'hot': default = True