Fix DOS using query endpoint #1
@ -173,23 +173,23 @@ func (s *PostgresStore) Query(query AttemptQuery) ([]models.LoginAttempt, error)
|
|||||||
var stmt string
|
var stmt string
|
||||||
queryString := query.Query
|
queryString := query.Query
|
||||||
|
|
||||||
|
const limit = 10000
|
||||||
|
|
||||||
switch query.QueryType {
|
switch query.QueryType {
|
||||||
case AttemptQueryTypeIP:
|
case AttemptQueryTypeIP:
|
||||||
stmt = `SELECT id, date, remote_ip, username, password, client_version, connection_uuid, country
|
stmt = `SELECT id, date, remote_ip, username, password, client_version, connection_uuid, country
|
||||||
FROM login_attempts WHERE remote_ip = $1`
|
FROM login_attempts WHERE remote_ip = $1 order by date desc limit $2`
|
||||||
case AttemptQueryTypePassword:
|
case AttemptQueryTypePassword:
|
||||||
stmt = `SELECT id, date, remote_ip, username, password, client_version, connection_uuid, country
|
stmt = `SELECT id, date, remote_ip, username, password, client_version, connection_uuid, country
|
||||||
FROM login_attempts WHERE password like $1`
|
FROM login_attempts WHERE password = $1 order by date desc limit $2`
|
||||||
queryString = fmt.Sprintf("%%%s%%", queryString)
|
|
||||||
case AttemptQueryTypeUsername:
|
case AttemptQueryTypeUsername:
|
||||||
stmt = `SELECT id, date, remote_ip, username, password, client_version, connection_uuid, country
|
stmt = `SELECT id, date, remote_ip, username, password, client_version, connection_uuid, country
|
||||||
FROM login_attempts WHERE username like $1`
|
FROM login_attempts WHERE username = $1 order by date desc limit $2`
|
||||||
queryString = fmt.Sprintf("%%%s%%", queryString)
|
|
||||||
default:
|
default:
|
||||||
return nil, fmt.Errorf("invalid query type")
|
return nil, fmt.Errorf("invalid query type")
|
||||||
}
|
}
|
||||||
|
|
||||||
rows, err := s.db.Query(stmt, queryString)
|
rows, err := s.db.Query(stmt, queryString, limit)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("unable to query database: %w", err)
|
return nil, fmt.Errorf("unable to query database: %w", err)
|
||||||
}
|
}
|
||||||
@ -204,7 +204,6 @@ func (s *PostgresStore) Query(query AttemptQuery) ([]models.LoginAttempt, error)
|
|||||||
}
|
}
|
||||||
la.RemoteIP = net.ParseIP(ipString)
|
la.RemoteIP = net.ParseIP(ipString)
|
||||||
results = append(results, la)
|
results = append(results, la)
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return results, nil
|
return results, nil
|
||||||
|
Loading…
Reference in New Issue
Block a user