From 0888596b839dbcf2c7d0b88d281d9cf65eabb7a1 Mon Sep 17 00:00:00 2001
From: Sojan Jose <sojan@pepalo.com>
Date: Thu, 16 Feb 2023 10:11:40 +0530
Subject: [PATCH] chore: Limit widget endpoint with rack attack (#6465)

ref: https://github.com/chatwoot/chatwoot/issues/1007#issuecomment-1427156094
---
 config/initializers/rack_attack.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
index 46ca2cdcb..f04ecaadb 100644
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -104,6 +104,11 @@ class Rack::Attack
   throttle('api/v1/widget/contacts', limit: 60, period: 1.hour) do |req|
     req.ip if req.path_without_extentions == '/api/v1/widget/contacts' && (req.patch? || req.put?)
   end
+
+  ## Prevent Conversation Bombing through multiple sessions
+  throttle('widget?website_token={website_token}&cw_conversation={x-auth-token}', limit: 5, period: 1.hour) do |req|
+    req.ip if req.path_without_extentions == '/widget' && ActionDispatch::Request.new(req.env).params['cw_conversation'].blank?
+  end
 end
 
 # Log blocked events