From 26cc33ce6d81b029059fbafac3a1e61a40f33a3b Mon Sep 17 00:00:00 2001 From: Kevin Owocki Date: Wed, 30 Jun 2021 10:36:53 -0600 Subject: [PATCH 1/4] twilio ddos --- app/dashboard/views.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app/dashboard/views.py b/app/dashboard/views.py index 13bd17e2f80..e15ee0f948b 100644 --- a/app/dashboard/views.py +++ b/app/dashboard/views.py @@ -6811,6 +6811,7 @@ def validate_number(user, twilio, phone, redis, delivery_method='sms'): @login_required +@ratelimit(key='ip', rate='2/m', method=ratelimit.UNSAFE, block=True) def send_verification(request, handle): is_logged_in_user = request.user.is_authenticated and request.user.username.lower() == handle.lower() if not is_logged_in_user: @@ -6863,6 +6864,7 @@ def send_verification(request, handle): @login_required +@ratelimit(key='ip', rate='10/m', method=ratelimit.UNSAFE, block=True) def validate_verification(request, handle): is_logged_in_user = request.user.is_authenticated and request.user.username.lower() == handle.lower() if not is_logged_in_user: From 652b7624577c2e76604493b575f32df5bdb50e39 Mon Sep 17 00:00:00 2001 From: Graham Dixon Date: Wed, 30 Jun 2021 18:57:57 +0100 Subject: [PATCH 2/4] Fixes ratelimiting response page and assigns error message in responseText for sms-verification --- app/assets/v2/js/pages/profile-trust.js | 12 ++++++++++-- app/tdi/views.py | 4 ++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/app/assets/v2/js/pages/profile-trust.js b/app/assets/v2/js/pages/profile-trust.js index 242e2eefe05..d3f02773a16 100644 --- a/app/assets/v2/js/pages/profile-trust.js +++ b/app/assets/v2/js/pages/profile-trust.js @@ -191,7 +191,11 @@ Vue.component('sms-verify-modal', { vm.service.is_verified = true; vm.forceStep = 'validation-complete'; }).catch((e) => { - vm.errorMessage = e.responseJSON.msg; + if (e.status == 403) { + vm.errorMessage = e.responseText; + } else { + vm.errorMessage = e.responseJSON.msg; + } }); } }, @@ -260,7 +264,11 @@ Vue.component('sms-verify-modal', { this.countdown(); this.display_email_option = response.allow_email; }).catch((e) => { - vm.errorMessage = e.responseJSON.msg; + if (e.status == 403) { + vm.errorMessage = e.responseText; + } else { + vm.errorMessage = e.responseJSON.msg; + } }); } }, diff --git a/app/tdi/views.py b/app/tdi/views.py index 676e72e2fc1..c6feb0efe96 100644 --- a/app/tdi/views.py +++ b/app/tdi/views.py @@ -25,7 +25,7 @@ from django.contrib.admin.views.decorators import staff_member_required from django.core.exceptions import ValidationError from django.core.validators import validate_email -from django.http import HttpResponse +from django.http import HttpResponseForbidden, HttpResponse from django.shortcuts import redirect from django.template.response import TemplateResponse from django.utils import translation @@ -45,7 +45,7 @@ def ratelimited(request, ratelimited=False): - return whitepaper_access(request, ratelimited=True) + return HttpResponseForbidden("You're ratelimited - Please try again soon", 403) @ratelimit(key='ip', rate='5/m', method=ratelimit.UNSAFE, block=True) From 119400af7ef5dd9ae7288fd7465a49864f8db690 Mon Sep 17 00:00:00 2001 From: Graham Dixon Date: Wed, 30 Jun 2021 19:11:01 +0100 Subject: [PATCH 3/4] Fixes import order --- app/assets/v2/js/pages/profile-trust.js | 6 +++++- app/tdi/views.py | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/app/assets/v2/js/pages/profile-trust.js b/app/assets/v2/js/pages/profile-trust.js index d3f02773a16..6b6c652298e 100644 --- a/app/assets/v2/js/pages/profile-trust.js +++ b/app/assets/v2/js/pages/profile-trust.js @@ -241,7 +241,11 @@ Vue.component('sms-verify-modal', { this.countdown(); this.display_email_option = response.allow_email; }).catch((e) => { - vm.errorMessage = e.responseJSON.msg; + if (e.status == 403) { + vm.errorMessage = e.responseText; + } else { + vm.errorMessage = e.responseJSON.msg; + } }); } }, diff --git a/app/tdi/views.py b/app/tdi/views.py index c6feb0efe96..16282531ac5 100644 --- a/app/tdi/views.py +++ b/app/tdi/views.py @@ -25,7 +25,7 @@ from django.contrib.admin.views.decorators import staff_member_required from django.core.exceptions import ValidationError from django.core.validators import validate_email -from django.http import HttpResponseForbidden, HttpResponse +from django.http import HttpResponse, HttpResponseForbidden from django.shortcuts import redirect from django.template.response import TemplateResponse from django.utils import translation From b9201a002c64716317f65d3a47b65cc092af715a Mon Sep 17 00:00:00 2001 From: Graham Dixon Date: Wed, 30 Jun 2021 19:22:21 +0100 Subject: [PATCH 4/4] Fixes linting complaints --- app/assets/v2/js/navbar.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/assets/v2/js/navbar.js b/app/assets/v2/js/navbar.js index 42d23b03cac..905952caf4d 100644 --- a/app/assets/v2/js/navbar.js +++ b/app/assets/v2/js/navbar.js @@ -32,10 +32,10 @@ const makeMenu = (navbarEl) => { }; // pull computedRootStyles from shared.js or compute here - const computedRootStyles = (window.hasOwnProperty("computedRootStyles") ? window.computedRootStyles : getComputedStyle(document.documentElement)); + const computedRootStyles = (Object.hasOwnProperty.call(window, 'computedRootStyles') ? window.computedRootStyles : getComputedStyle(document.documentElement)); // pull breakpoint_md from shared.js or from root styles if not present - const breakpoint_md = (window.hasOwnProperty("breakpoint_md") ? window.breakpoint_md : parseFloat(computedRootStyles.getPropertyValue('--breakpoint-md'))); + const breakpoint_md = (Object.hasOwnProperty.call(window, 'breakpoint_md') ? window.breakpoint_md : parseFloat(computedRootStyles.getPropertyValue('--breakpoint-md'))); // read the transition duration from navbar.scss (computedRootStyles is defined in shared.js) const transitionDuration = parseFloat(computedRootStyles.getPropertyValue('--gc-menu-transition-duration')); @@ -199,7 +199,7 @@ const makeMenu = (navbarEl) => { menuContainerEl.classList.remove('open'); // remove .show after the transitions finishes setTimeout(() => { - menuContainerEl.classList.remove('show'); + menuContainerEl.classList.remove('show'); }, transitionDuration); };