The Wayback Machine - https://web.archive.org/web/20221031014914/https://github.com/symfony/symfony/pull/47283
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[HttpFoundation] Prevent accepted rate limits with no remaining token to be preferred over denied ones #47283

Merged
merged 1 commit into from Aug 19, 2022
Merged

[HttpFoundation] Prevent accepted rate limits with no remaining token to be preferred over denied ones #47283

merged 1 commit into from Aug 19, 2022

Conversation

MatTheCat
Copy link
Contributor

@MatTheCat MatTheCat commented Aug 15, 2022
edited

Q A
Branch? 5.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #47282
License MIT
Doc PR N/A

When a rate limit is first accepted with no remaining token, following rejected rate limits will be ignored because they also will have no remaining token. The request would then be processed.

@carsonbot carsonbot added this to the 5.4 milestone Aug 15, 2022
wouterj
wouterj requested changes Aug 15, 2022
View changes
Copy link
Member

@wouterj wouterj left a comment

Thanks for the blazing fast bug fix, @MatTheCat!

Can you please add a test case for this fix, so we can be sure not to break it in the future?

src/Symfony/Component/HttpFoundation/RateLimiter/AbstractRequestRateLimiter.php Outdated Show resolved Hide resolved
@wouterj wouterj linked an issue Aug 15, 2022 that may be closed by this pull request
[Security] login_throttling un-blocking for *one* attempt at "5 * max_attempts" #47282
Closed
@MatTheCat
Copy link
Contributor Author

MatTheCat commented Aug 15, 2022
edited

@wouterj thanks! What should I do to make my test pass? Seems my changes are missing from them 🤔

@MatTheCat MatTheCat requested a review from chalasr as a code owner Aug 16, 2022
@MatTheCat MatTheCat force-pushed the ticket_47282 branch 2 times, most recently from 751caf4 to d07c9ea Compare Aug 16, 2022
@wouterj
Copy link
Member

wouterj commented Aug 16, 2022

See https://symfony.com/doc/current/contributing/code/pull_requests.html#automated-tests for more information about our test suite.

The failing checks are checking each individual package, rather than the monorepo. So it'll download rate limiter in the current available version, rather than the version of your PR.

Ideally, we would have a test for this abstract class' behavior in the HttpFoundation component itself. If you have some time, it would be great to create a MockRequestRateLimiter and add this specific test case there (based on the test that you've added).

@MatTheCat MatTheCat force-pushed the ticket_47282 branch 3 times, most recently from 9ef5695 to 311c53b Compare Aug 16, 2022
@MatTheCat
Copy link
Contributor Author

MatTheCat commented Aug 16, 2022

Okay, remaining failures seem unrelated 👌

wouterj
wouterj approved these changes Aug 18, 2022
View changes
Copy link
Member

@wouterj wouterj left a comment

Looking good!

@fabpot
Copy link
Member

fabpot commented Aug 19, 2022

Thank you @MatTheCat.

@fabpot fabpot merged commit 5294748 into symfony:5.4 Aug 19, 2022
2 checks passed
@MatTheCat MatTheCat deleted the ticket_47282 branch Aug 19, 2022
@fabpot fabpot mentioned this pull request Aug 26, 2022
Merged
This was referenced Aug 26, 2022
Merged
Merged
@fabpot fabpot mentioned this pull request Sep 30, 2022
Merged
Reviewers

@wouterj wouterj

@chalasr chalasr

Assignees
No one assigned
Labels
Bug HttpFoundation Status: Reviewed
Projects
None yet
Milestone
5.4
Development

Successfully merging this pull request may close these issues.

[Security] login_throttling un-blocking for *one* attempt at "5 * max_attempts"
4 participants
@MatTheCat @wouterj @fabpot @carsonbot