Run prettier (#1866)
Merging this separately so the commit with the tooling change is readable. This is a follow-on to #1167 which turned prettier on.
This commit is contained in:
Paul Melnikow
GitHub
@@ -1,69 +1,83 @@
|
||||
'use strict';
|
||||
'use strict'
|
||||
|
||||
const secretIsValid = require('./secret-is-valid');
|
||||
const serverSecrets = require('../server-secrets');
|
||||
const config = require('../server-config');
|
||||
const RateLimit = require('./rate-limit');
|
||||
const log = require('../log');
|
||||
const secretIsValid = require('./secret-is-valid')
|
||||
const serverSecrets = require('../server-secrets')
|
||||
const config = require('../server-config')
|
||||
const RateLimit = require('./rate-limit')
|
||||
const log = require('../log')
|
||||
|
||||
function secretInvalid(req, res) {
|
||||
if (!secretIsValid(req.password)) {
|
||||
// An unknown entity tries to connect. Let the connection linger for a minute.
|
||||
setTimeout(function() {
|
||||
res.json({errors: [{code: 'invalid_secrets'}]});
|
||||
}, 10000);
|
||||
return true;
|
||||
res.json({ errors: [{ code: 'invalid_secrets' }] })
|
||||
}, 10000)
|
||||
return true
|
||||
}
|
||||
return false;
|
||||
return false
|
||||
}
|
||||
|
||||
function setRoutes(server) {
|
||||
const ipRateLimit = new RateLimit({
|
||||
whitelist: /^192\.30\.252\.\d+$/, // Whitelist GitHub IPs.
|
||||
});
|
||||
const badgeTypeRateLimit = new RateLimit({maxHitsPerPeriod: 3000});
|
||||
})
|
||||
const badgeTypeRateLimit = new RateLimit({ maxHitsPerPeriod: 3000 })
|
||||
const refererRateLimit = new RateLimit({
|
||||
maxHitsPerPeriod: 300,
|
||||
whitelist: /^https?:\/\/shields\.io\/$/,
|
||||
});
|
||||
})
|
||||
|
||||
server.handle(function monitorHandler(req, res, next) {
|
||||
if (req.url.startsWith('/sys/')) {
|
||||
if (secretInvalid(req, res)) { return; }
|
||||
if (secretInvalid(req, res)) {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
if (config.rateLimit) {
|
||||
const ip = (req.headers['x-forwarded-for'] || '').split(', ')[0]
|
||||
|| req.socket.remoteAddress;
|
||||
const badgeType = req.url.split(/[/-]/).slice(0, 3).join('');
|
||||
const referer = req.headers['referer'];
|
||||
const ip =
|
||||
(req.headers['x-forwarded-for'] || '').split(', ')[0] ||
|
||||
req.socket.remoteAddress
|
||||
const badgeType = req.url
|
||||
.split(/[/-]/)
|
||||
.slice(0, 3)
|
||||
.join('')
|
||||
const referer = req.headers['referer']
|
||||
|
||||
if (ipRateLimit.isBanned(ip, req, res)) { return; }
|
||||
if (badgeTypeRateLimit.isBanned(badgeType, req, res)) { return; }
|
||||
if (refererRateLimit.isBanned(referer, req, res)) { return; }
|
||||
if (ipRateLimit.isBanned(ip, req, res)) {
|
||||
return
|
||||
}
|
||||
if (badgeTypeRateLimit.isBanned(badgeType, req, res)) {
|
||||
return
|
||||
}
|
||||
if (refererRateLimit.isBanned(referer, req, res)) {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
next();
|
||||
});
|
||||
next()
|
||||
})
|
||||
|
||||
server.get('/sys/network', (req, res) => {
|
||||
res.json({ips: serverSecrets.shieldsIps});
|
||||
});
|
||||
res.json({ ips: serverSecrets.shieldsIps })
|
||||
})
|
||||
|
||||
server.ws('/sys/logs', socket => {
|
||||
const listener = (...msg) => socket.send(msg.join(' '));
|
||||
socket.on('close', () => log.removeListener(listener));
|
||||
const listener = (...msg) => socket.send(msg.join(' '))
|
||||
socket.on('close', () => log.removeListener(listener))
|
||||
socket.on('message', msg => {
|
||||
let req;
|
||||
let req
|
||||
try {
|
||||
req = JSON.parse(msg);
|
||||
} catch(e) { return; }
|
||||
if (!secretIsValid(req.secret)) {
|
||||
return socket.close();
|
||||
req = JSON.parse(msg)
|
||||
} catch (e) {
|
||||
return
|
||||
}
|
||||
log.addListener(listener);
|
||||
});
|
||||
});
|
||||
if (!secretIsValid(req.secret)) {
|
||||
return socket.close()
|
||||
}
|
||||
log.addListener(listener)
|
||||
})
|
||||
})
|
||||
|
||||
server.get('/sys/rate-limit', (req, res) => {
|
||||
res.json({
|
||||
@@ -71,9 +85,9 @@ function setRoutes(server) {
|
||||
badgeType: badgeTypeRateLimit.toJSON(),
|
||||
referer: refererRateLimit.toJSON(),
|
||||
})
|
||||
});
|
||||
})
|
||||
}
|
||||
|
||||
module.exports = {
|
||||
setRoutes,
|
||||
};
|
||||
}
|
||||
|
||||
@@ -1,44 +1,48 @@
|
||||
'use strict';
|
||||
'use strict'
|
||||
|
||||
// A rate limit ensures that a request parameter gets flagged if it goes
|
||||
// above a limit.
|
||||
module.exports = class RateLimit {
|
||||
constructor(options = {}) {
|
||||
// this.hits: Map from request parameters to the number of hits.
|
||||
this.hits = new Map();
|
||||
this.period = options.period || 200; // 3 min ⅓, in seconds
|
||||
this.maxHitsPerPeriod = options.maxHitsPerPeriod || 500;
|
||||
this.banned = new Set();
|
||||
this.bannedUrls = new Set();
|
||||
this.whitelist = options.whitelist
|
||||
|| /(?!)/; // Matches nothing by default.
|
||||
setInterval(this.resetHits.bind(this), this.period * 1000);
|
||||
this.hits = new Map()
|
||||
this.period = options.period || 200 // 3 min ⅓, in seconds
|
||||
this.maxHitsPerPeriod = options.maxHitsPerPeriod || 500
|
||||
this.banned = new Set()
|
||||
this.bannedUrls = new Set()
|
||||
this.whitelist = options.whitelist || /(?!)/ // Matches nothing by default.
|
||||
setInterval(this.resetHits.bind(this), this.period * 1000)
|
||||
}
|
||||
|
||||
resetHits() {
|
||||
this.hits.clear();
|
||||
this.banned.clear();
|
||||
this.bannedUrls.clear();
|
||||
this.hits.clear()
|
||||
this.banned.clear()
|
||||
this.bannedUrls.clear()
|
||||
}
|
||||
|
||||
isBanned(reqParam, req, res) {
|
||||
const hitsInCurrentPeriod = this.hits.get(reqParam) || 0;
|
||||
if ((reqParam != null) && !this.whitelist.test(reqParam)
|
||||
&& (hitsInCurrentPeriod > this.maxHitsPerPeriod)) {
|
||||
this.banned.add(reqParam);
|
||||
const hitsInCurrentPeriod = this.hits.get(reqParam) || 0
|
||||
if (
|
||||
reqParam != null &&
|
||||
!this.whitelist.test(reqParam) &&
|
||||
hitsInCurrentPeriod > this.maxHitsPerPeriod
|
||||
) {
|
||||
this.banned.add(reqParam)
|
||||
}
|
||||
|
||||
if (this.banned.has(reqParam)) {
|
||||
res.statusCode = 429;
|
||||
res.setHeader('Retry-After', String(this.period));
|
||||
res.end(`Exceeded limit ${this.maxHitsPerPeriod} requests ` +
|
||||
`per ${this.period} seconds`);
|
||||
this.bannedUrls.add(req.url);
|
||||
return true;
|
||||
res.statusCode = 429
|
||||
res.setHeader('Retry-After', String(this.period))
|
||||
res.end(
|
||||
`Exceeded limit ${this.maxHitsPerPeriod} requests ` +
|
||||
`per ${this.period} seconds`
|
||||
)
|
||||
this.bannedUrls.add(req.url)
|
||||
return true
|
||||
}
|
||||
|
||||
this.hits.set(reqParam, hitsInCurrentPeriod + 1);
|
||||
return false;
|
||||
this.hits.set(reqParam, hitsInCurrentPeriod + 1)
|
||||
return false
|
||||
}
|
||||
|
||||
toJSON() {
|
||||
@@ -46,6 +50,6 @@ module.exports = class RateLimit {
|
||||
banned: [...this.banned],
|
||||
hits: [...this.hits],
|
||||
urls: [...this.bannedUrls],
|
||||
};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,18 +1,20 @@
|
||||
'use strict';
|
||||
'use strict'
|
||||
|
||||
const serverSecrets = require('../server-secrets');
|
||||
const serverSecrets = require('../server-secrets')
|
||||
|
||||
function secretIsValid(secret = '') {
|
||||
return constEq(secret, serverSecrets.shieldsSecret);
|
||||
return constEq(secret, serverSecrets.shieldsSecret)
|
||||
}
|
||||
|
||||
function constEq(a, b) {
|
||||
if (a.length !== b.length) { return false; }
|
||||
let zero = 0;
|
||||
for (let i = 0; i < a.length; i++) {
|
||||
zero |= a.charCodeAt(i) ^ b.charCodeAt(i);
|
||||
if (a.length !== b.length) {
|
||||
return false
|
||||
}
|
||||
return (zero === 0);
|
||||
let zero = 0
|
||||
for (let i = 0; i < a.length; i++) {
|
||||
zero |= a.charCodeAt(i) ^ b.charCodeAt(i)
|
||||
}
|
||||
return zero === 0
|
||||
}
|
||||
|
||||
module.exports = secretIsValid;
|
||||
module.exports = secretIsValid
|
||||
|
||||
Reference in New Issue
Block a user