torjus/apiary
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request 'Fix DOS using query endpoint' (#1) from bug/query-dos into master

Browse Source 
Reviewed-on: #1
This commit is contained in:
Torjus Håkestad 2022-02-09 14:10:08 +00:00
commit cd376a0d00
1 changed files with 6 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
honeypot/ssh/store/postgres.go
View File

@ -173,23 +173,23 @@ func (s *PostgresStore) Query(query AttemptQuery) ([]models.LoginAttempt, error)
var stmt string var stmt string
queryString := query.Query queryString := query.Query
const limit = 10000
switch query.QueryType { switch query.QueryType {
case AttemptQueryTypeIP: case AttemptQueryTypeIP:
stmt = `SELECT id, date, remote_ip, username, password, client_version, connection_uuid, country stmt = `SELECT id, date, remote_ip, username, password, client_version, connection_uuid, country
FROM login_attempts WHERE remote_ip = $1` FROM login_attempts WHERE remote_ip = $1 order by date desc limit $2`
case AttemptQueryTypePassword: case AttemptQueryTypePassword:
stmt = `SELECT id, date, remote_ip, username, password, client_version, connection_uuid, country stmt = `SELECT id, date, remote_ip, username, password, client_version, connection_uuid, country
FROM login_attempts WHERE password like $1` FROM login_attempts WHERE password = $1 order by date desc limit $2`
queryString = fmt.Sprintf("%%%s%%", queryString)
case AttemptQueryTypeUsername: case AttemptQueryTypeUsername:
stmt = `SELECT id, date, remote_ip, username, password, client_version, connection_uuid, country stmt = `SELECT id, date, remote_ip, username, password, client_version, connection_uuid, country
FROM login_attempts WHERE username like $1` FROM login_attempts WHERE username = $1 order by date desc limit $2`
queryString = fmt.Sprintf("%%%s%%", queryString)
default: default:
return nil, fmt.Errorf("invalid query type") return nil, fmt.Errorf("invalid query type")
} }
rows, err := s.db.Query(stmt, queryString) rows, err := s.db.Query(stmt, queryString, limit)
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to query database: %w", err) return nil, fmt.Errorf("unable to query database: %w", err)
} }
@ -204,7 +204,6 @@ func (s *PostgresStore) Query(query AttemptQuery) ([]models.LoginAttempt, error)
} }
la.RemoteIP = net.ParseIP(ipString) la.RemoteIP = net.ParseIP(ipString)
results = append(results, la) results = append(results, la)
} }
return results, nil return results, nil