Comments (11)
Thanks for raising @KrisLowet, I agree that a rate limit would be ideal here, and also a random delay if not already there.
I've assigned this to be something for our next patch release.
@samadha56 Thanks for the offer but please don't provide a PR. Your message indicates you may go down a more complex path than needed and this will be something I'd want to merge soon so is something I'd take on myself.
from bookstack.
This has now been added within 69af9e0, and will be part of the patch release to be soon release. This includes a 10 per minute per-IP request limit, in addition to a random pause period during request handling.
Thanks again @KrisLowet for raising this request.
from bookstack.
I am interested in implementing this feature for the project. This feature will provide rate limiting for password reset requests based on IPs that submit excessive requests for non-existent accounts, thereby enhancing the overall security of the project.
To implement this feature, I will utilize technologies such as CAPTCHA and logging for suspicious IPs to effectively identify and prevent abnormal requests, thus mitigating potential malicious attacks.
I can provide further details regarding the implementation specifics and associated costs after conducting a more thorough review and understanding of the project requirements. I am ready to enhance the security of this project by incorporating this valuable feature.
Thank you for considering me for this opportunity, and I look forward to your response.
from bookstack.
hi this vulnerability would be valid to be recognised as a cve
from bookstack.
hi this vulnerability would be valid to be recognised as a cve
thanks you
from bookstack.
@adriantirado Okay, you repeated the same message as above. Or are you asking if we'll create a CVE?
I've always had trouble with the CVE process, and lack of control of CVEs. In the past, they been opened by bounty platforms or the reporter via their own CNA process. I did open some CVEs through GitHub before but I'm not fully keen on their process and don't really want deeper reliance on GitHub. Maybe something we need to spend time on to formalize, but I remember having trouble understanding CVE management when looking before.
from bookstack.
hi so you won't create a CVE for me? and how else could it be formalised, you can try it now, maybe it will work out well?
thanks
from bookstack.
hi is it possible to publish it myself from the cveform page, you have to give me the data that it asks me for the version for example, if you accept it I will give you the information that I need to complete the cveform
thanks you
from bookstack.
hi
from bookstack.
@adriantirado I've opened #5004 to better think through and formalise our security announcement & CVE process. I've opened this when thinking about CVEs from the above, and since I'm not sure in cases like this if such an issue/change is something within the scope of what we'd announce since to me this is improving/hardening security rather than fixing a vulnerability. Even adding IP-based rate-limiting, the same exploit could still be used but just at a higher cost/effort.
If you have experience in this area (especially in open source), feel free to add your comments in #5004 to help build that process.
from bookstack.
In the end I made v24.05.1 a security release, and was therefore announced as a security release.
If it was the lack of these referenced rate limits alone, I would not have been too concerned (since we do have rate limits on known emails) but this led me to additional and more substantial concerns in how some other endpoints could be used without limit, and therefore I wrapped up these together into a security release.
I am also testing out requesting CVEs directly with mitre for this, and have requested a CVE ID.
from bookstack.
Related Issues (20)
- Add Schema Markup Functionality to Enhance SEO and Structured Data
- Single apostrophes and quotes change search behaviour
- Inconsistency Between Documented and Actual API Responses: user_id Missing in /users Endpoint Responses #5178 HOT 4
- Include the `cover` property in the response for a `LIST` request on the `/books` endpoint HOT 1
- Include the `cover` property in the response for a `LIST` request on the `/books` endpoint
- Why BookStack's documentation is in Hugo? HOT 2
- Add support for theme-specific API request/response examples in Logical Theme System
- Missing type specifications for `name` and `password` in /users CREATE endpoint documentation HOT 1
- Enhance `/pages/{id}` and `/chapters/{id}` `READ` responses with additional book and chapter information HOT 4
- Export to PDF / missing link icon in pdf file HOT 1
- Unable to search in markdown editor HOT 2
- Add other scaled images in gallery
- Expand/enlarge image within the page
- General API call HOT 3
- Docker error after update of Ubuntu OS. HOT 10
- Behaviour of OIDC group sync HOT 4
- Mermaid & Bookstack HOT 5
- Microsoft Graph mail driver HOT 3
- An unknown error occurred when the SMTP host could not be reached HOT 5
- install docs wrong due to missing directory "vendor" HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bookstack.