chore: Limit widget endpoint with rack attack (#6465)

ref: https://github.com/chatwoot/chatwoot/issues/1007#issuecomment-1427156094
2023-02-16 10:11:40 +05:30
parent 7044eda281
commit 0888596b83
1 changed files with 5 additions and 0 deletions
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -104,6 +104,11 @@ class Rack::Attack
  throttle('api/v1/widget/contacts', limit: 60, period: 1.hour) do |req|
    req.ip if req.path_without_extentions == '/api/v1/widget/contacts' && (req.patch? || req.put?)
  end
+
+  ## Prevent Conversation Bombing through multiple sessions
+  throttle('widget?website_token={website_token}&cw_conversation={x-auth-token}', limit: 5, period: 1.hour) do |req|
+    req.ip if req.path_without_extentions == '/widget' && ActionDispatch::Request.new(req.env).params['cw_conversation'].blank?
+  end
 end

 # Log blocked events