0001-misc-add-rate-limiting-to-tracking-code-URLs-35395.patch

Frédéric Péters, 14 août 2019 09:43

Voir les différences: en ligne côte à côte

Subject: [PATCH] misc: add rate limiting to tracking code URLs (#35395)

 combo/apps/wcs/views.py | 22 +++++++++++++++++++---
 combo/settings.py       |  3 +++
 debian/control          |  1 +
 setup.py                |  1 +
 tests/conftest.py       |  9 +++++++++
 tests/test_wcs.py       | 12 ++++++++++--
 6 files changed, 43 insertions(+), 5 deletions(-)

     import re
     from django.contrib import messages
     from django.conf import settings
     from django.core.exceptions import PermissionDenied
     from django.core.urlresolvers import reverse
     from django.http import JsonResponse, HttpResponseRedirect, HttpResponseBadRequest
     from django.utils.http import urlquote
-...
     from django.views.decorators.csrf import csrf_exempt
     from django.views.generic import View
     import ratelimit.utils
     from .models import TrackingCodeInputCell
     from .utils import get_wcs_services
-...
             return super(TrackingCodeView, self).dispatch(*args, **kwargs)
         @classmethod
         def search(self, code, wcs_site=None):
         def search(self, code, request, wcs_site=None):
             code = code.strip().upper()
             if wcs_site:
                 wcs_sites = [get_wcs_services().get(wcs_site)]
             else:
                 wcs_sites = get_wcs_services().values()
             rate_limit_option = settings.WCS_TRACKING_CODE_RATE_LIMIT
             if rate_limit_option and rate_limit_option != 'none':
                 for rate_limit in rate_limit_option.split():
                     ratelimited = ratelimit.utils.is_ratelimited(
                             request=request,
                             group='trackingcode',
                             key='ip',
                             rate=rate_limit,
                             increment=True)
                     if ratelimited:
                         raise PermissionDenied('rate limit reached (%s)' % rate_limit)
             for wcs_site in wcs_sites:
                 response = requests.get('/api/code/' + urlquote(code),
                         remote_service=wcs_site, log_errors=False)
-...
                 return HttpResponseBadRequest('Missing code')
             code = request.POST['code']
             url = self.search(code, wcs_site=cell.wcs_site)
             url = self.search(code, request, wcs_site=cell.wcs_site)
             if url:
                 return HttpResponseRedirect(url)
-...
         query = request.GET.get('q') or ''
         query = query.strip().upper()
         if re.match(r'^[BCDFGHJKLMNPQRSTVWXZ]{8}$', query):
             url = TrackingCodeView.search(query)
             url = TrackingCodeView.search(query, request)
             if url:
                 hits.append({
                     'text': _('Use tracking code %s') % query,

     # default duration of notifications (in days)
     COMBO_DEFAULT_NOTIFICATION_DURATION = 3
     # tracking code thorttling
     WCS_TRACKING_CODE_RATE_LIMIT = '3/s 1500/d'
     # predefined slots for assets
     # example: {'banner': {'label': 'Banner image'}}
     COMBO_ASSET_SLOTS = {}

debian/control
22	22	python-xstatic-roboto-fontface (<< 0.5.0.0),
23	23	python-eopayment (>= 1.35),
24	24	python-django-haystack (>= 2.4.0),
	25	python-django-ratelimit,
25	26	python-sorl-thumbnail,
26	27	python-pil,
27	28	python-pywebpush,

setup.py
161	161	'python-dateutil',
162	162	'djangorestframework>=3.3, <3.7',
163	163	'django-haystack',
	164	'django-ratelimit<3',
164	165	'whoosh',
165	166	'sorl-thumbnail',
166	167	'Pillow',

         except User.DoesNotExist:
             user = User.objects.create_superuser('admin', email=None, password='admin')
         return user
     @pytest.fixture
     def nocache(settings):
         settings.CACHES = {
             'default': {
                 'BACKEND': 'django.core.cache.backends.dummy.DummyCache',
+            }
+        }

     @wcs_present
     def test_tracking_code_cell(app):
     def test_tracking_code_cell(app, nocache):
         Page.objects.all().delete()
         page = Page(title='One', slug='index', template_name='standard')
         page.save()
-...
             assert u'>Picture — form title (test)<' in resp.text
     @wcs_present
     def test_tracking_code_search(app):
     def test_tracking_code_search(app, nocache):
         assert len(app.get('/api/search/tracking-code/').json.get('data')) == 0
         assert len(app.get('/api/search/tracking-code/?q=123').json.get('data')) == 0
         assert len(app.get('/api/search/tracking-code/?q=BBCCDFF').json.get('data')) == 0
-...
         assert len(app.get('/api/search/tracking-code/?q=BBCCDDFFG').json.get('data')) == 0
         assert len(app.get('/api/search/tracking-code/?q= cnphntfb').json.get('data')) == 1
     @wcs_present
     def test_tracking_code_search_rate_limit(app):
         app.get('/api/search/tracking-code/?q=BBCCDDFF')
         app.get('/api/search/tracking-code/?q=BBCCDDFF')
         app.get('/api/search/tracking-code/?q=BBCCDDFF')
         app.get('/api/search/tracking-code/?q=BBCCDDFF', status=403)
         app.get('/api/search/tracking-code/?q=BBCCDDFF', status=403)
     @wcs_present
     def test_wcs_search_engines(app):
         search_engines = engines.get_engines()
+    -

Projet

Général

Profil

Produits Entr'ouvert » Combo

0001-misc-add-rate-limiting-to-tracking-code-URLs-35395.patch