Fix DoS vulnerability in play_card API by adding rate limiting#2629
Open
xovishnukosuri wants to merge 1 commit intoOWASP:masterfrom
Open
Fix DoS vulnerability in play_card API by adding rate limiting#2629xovishnukosuri wants to merge 1 commit intoOWASP:masterfrom
xovishnukosuri wants to merge 1 commit intoOWASP:masterfrom
Conversation
The API pipeline lacked rate limiting protection, allowing unlimited concurrent requests to the play_card endpoint. This could exhaust database connections and corrupt game state. Fix adds the existing RateLimiterPlug to the :api pipeline with a new :play_card action (10 requests/60s per IP), makes the plug action-configurable, and returns proper JSON 429 responses for API endpoints. Closes OWASP#2559 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
xovishnukosuri
requested review from
cw-owasp,
rewtd and
sydseter
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
:apipipeline viaRateLimiterPlugto protect theplay_cardendpoint from DoS attacks (fixes 🚨Security Issue: play_card API Vulnerable to DoS Attack - 29% Success Rate Confirmed #2559):play_cardaction inRateLimiterGenServer with a default limit of 10 requests per 60-second window per IP (configurable viaRATE_LIMIT_PLAY_CARD_LIMITandRATE_LIMIT_PLAY_CARD_WINDOWenv vars)RateLimiterPlugaction-configurable via plug options, returning JSON 429 responses for API endpoints while maintaining backwards-compatible plain-text responses for the browser pipelineDetails
The vulnerability existed because the
:apipipeline inrouter.exhad noRateLimiterPlug, unlike the:browserpipeline. This allowed attackers to send unlimited concurrent requests toPUT /api/games/:game_id/players/:player_id/card, exhausting database connections and corrupting game state through race conditions (29% of 100 simultaneous requests succeeded per the issue report).Files changed:
lib/copi_web/router.ex— AddRateLimiterPlugto:apipipeline withaction: :play_cardlib/copi/rate_limiter.ex— Add:play_cardaction with limit/window configlib/copi_web/plugs/rate_limiter_plug.ex— Make action configurable, add JSON 429 responses for non-connection actionstest/copi/rate_limiter_test.exs— Add tests for play_card rate limiting and configTest plan
rate_limiter_test.exstests pass (backwards compatibility of:connectionaction)play_cardrate limit test passes (blocks after 10 requests in 60s window)rate_limiter_plug_test.exstests pass (plug still defaults to:connectionwith no opts)api_controller_test.exstests pass (play_card endpoint still works under limit)🤖 Generated with Claude Code