Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

fix(core): Rate limit MFA activation and verification endpoints #10330

Merged
merged 1 commit into from
Aug 8, 2024
Merged

fix(core): Rate limit MFA activation and verification endpoints #10330

merged 1 commit into from
Aug 8, 2024

Conversation

netroy
Copy link
Member

@netroy netroy commented Aug 8, 2024
edited
Loading

Summary

Right now it is possible to enumerate MFA endpoints. Since there is no real use-case where someone needs to make repeated calls to these endpoints, we should rate-limit them

Related Linear tickets, Github issues, and Community forum posts

SEC-71

Review / Merge checklist

  • PR title and summary are descriptive
  • Tests included

tomi
tomi approved these changes Aug 8, 2024
View reviewed changes
Copy link
Collaborator

@tomi tomi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 8, 2024

✅ All Cypress E2E specs passed

@cypress Cypress
Copy link

cypress bot commented Aug 8, 2024


Test summary

395 0 0 0Flakiness 0

Run details
Project n8n
Status Passed
Commit f330449
Started Aug 8, 2024 12:52 PM
Ended Aug 8, 2024 12:57 PM
Duration 04:44 💡
OS Linux Debian -
Browser Electron 118

View run in Cypress Cloud ➡️

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. You can manage this integration in this project's settings in the Cypress Cloud

@n8n-assistant n8n-assistant bot added core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team labels Aug 8, 2024
@netroy netroy merged commit b6c47c0 into master Aug 8, 2024
28 checks passed
@netroy netroy deleted the SEC-71-rate-limit-more-endpoints branch August 8, 2024 13:01
MiloradFilipovic added a commit that referenced this pull request Aug 9, 2024
@MiloradFilipovic
Merge branch 'master' into ask-assistant
badcb54 
* master:
  fix(core): Prevent XSS via static cache dir (#10339)
  fix(editor): Enable credential sharing between all types of projects (#10233)
  refactor(core): Extract webhook request handler to own file (#10301)
  feat: Allow sharing to and from team projects (no-changelog) (#10144)
  refactor(editor): Convert ChangePasswordModal to composition api (no-changelog) (#10337)
  docs: Change display name for WhatsApp Trigger API Credential (#10334)
  fix(core): Do not load ScalingService in regular mode (no-changelog) (#10333)
  docs: Update wording in X credentials (#10327)
  fix(editor): Fixing XSS vulnerability in toast messages (#10329)
  fix(core): Rate limit MFA activation and verification endpoints (#10330)
  refactor(core): Decouple emailing and workflow sharing from internal hooks (no-changelog) (#10326)
  refactor(core): Stop reporting disk I/O error to Sentry (no-changelog) (#10324)
@github-actions github-actions bot mentioned this pull request Aug 14, 2024
Merged
@janober
Copy link
Member

janober commented Aug 15, 2024

Got released with n8n@1.55.0

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@tomi tomi tomi approved these changes

Assignees
No one assigned
Labels
core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team Released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@netroy @janober @tomi