Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement minimum and maximum timespans to protect against DoS #128

Open
svierne opened this issue Jan 4, 2024 · 2 comments
Open

Implement minimum and maximum timespans to protect against DoS #128

svierne opened this issue Jan 4, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@svierne
Copy link
Contributor

svierne commented Jan 4, 2024

Observed behaviour

With the current implementation, the bot can be DoSed by setting up a recurring reminder as follows:
!remindroom every 1 second; now; spam

Proposed fix

Implement config variables for minimum and maximum timespans, e.g.

reminders:
    timespan_min: "1 minute"
    timespan_max: "1 year"

For reminders above and below the timespan limit, the bot should respond with an error.

@HarHarLinks
Copy link
Collaborator

There are also already rate limits for the different endpoints in the Client-Server API to prevent similar spam. I think it's good to act like a "good citizen" trying to prevent "spam" at the source.

I wonder if something in nio already takes care of rate limits blocking messages from being sent and retrying. There might not.

I'm assuming these are supposed to apply to the intervals of repeating reminders. What would be the purpose of the upper limit?

Note to potential implementers: remember cronjobs as well.

@HarHarLinks HarHarLinks added the enhancement New feature or request label Jan 6, 2024
@svierne
Copy link
Contributor Author

svierne commented Jan 12, 2024

The upper limit will prevent, for example, reminders that are created just for fun, reminding you of the new century 2100 or something.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants