Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add Throttle Exempt Option #4841

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
litzinger opened this issue May 14, 2025 · 6 comments
Open

Add Throttle Exempt Option #4841

litzinger opened this issue May 14, 2025 · 6 comments

Comments

@litzinger
Copy link
Contributor

I had an interesting feature request come in for DataGrab (https://boldminded.com/support/ticket/3100) and after looking into it, it feels like add-ons should be able to do things that are exempt from throttling, instead of making the add-on jump through hoops to get around the throttling. So I took a little stab at what this might look like, and it's a fairly easy implementation.

Thoughts?

in Core.php

// Security Checks: Throttle, Block and Allow, File Integrity, and iFraming
        if (REQ != 'CP') {
            $this->throttle();

            ee()->load->library('blockedlist');
            ee()->blockedlist->_check_blockedlist();

            ee()->load->library('file_integrity');
            ee()->file_integrity->create_bootstrap_checksum();

            $this->setFrameHeaders();
        }

and add

private function throttle()
    {
        if (REQ === 'ACTION') {
            $action = ee('Model')->get('Action')
                ->filter('action_id', ee()->input->get_post('ACT'))
                ->first();

            if ($action?->throttle_exempt) {
                return;
            }
        }

        ee()->load->library('throttling');
        ee()->throttling->run();
    }

Update the model

class Action extends Model
{
    protected static $_primary_key = 'action_id';
    protected static $_table_name = 'actions';

    protected static $_validation_rules = array(
        'csrf_exempt' => 'enum[0,1]',
        'throttle_exempt' => 'enum[0,1]',
    );

    protected $action_id;
    protected $class;
    protected $method;
    protected $csrf_exempt;
    protected $throttle_exempt;
}

Finally add it to the db

Image Image
@jHards
Copy link
Contributor

jHards commented May 19, 2025

Feature discussion #4813 came from the same starting point.

@intoeetive
Copy link
Contributor

@litzinger I think the ability for add-ons to define their own throttling setting is good, however I'm not sure if letting them disable throttling completely for themselves is a good idea.

The whole idea of throttling checks is related to danger of DDoS attacks, and if the attacker knows the action endpoint that's exempt from throttling they would just target it.

Instead, I think we could let the add-ons override some of the throttling settings for themselves, such as time_interval

Thoughts?

@litzinger
Copy link
Contributor Author

litzinger commented May 20, 2025
edited
Loading

If an add-on were to set a time_interval override, and multiple add-ons needed to set this override, then there would be multiple override settings scattered throughout the add-ons section, each implemented differently (e.g. where it resides in the add-ons settings section, how they built the form etc)

I still feel like this should be handled at the system level, since it's a system feature. What if there was a pass code requirement too? A simple 6 or 8 character code that needed to be passed along with the request and if it doesn't match what is in the exp_actions table (this would be a new column) then it fails.

https://mysite.com?ACT=123&passcode=hwo9x4

This would make it harder for someone to spam the endpoint. Guessing ACT ids is easy, but if they don't know the passcode then they can't DDoS.

@intoeetive
Copy link
Contributor

I like the passcode idea and I agree with the complexity sentiment. It's a lot easier to manage system-wide solution.

@bryannielsen @matthewjohns0n what are your thoughts?

@matthewjohns0n
Copy link
Member

I tend to think allowing add-ons to bypass throttling is reasonable. I also like the pass code idea to limit any ddos potential.

@litzinger
Copy link
Contributor Author

litzinger commented May 20, 2025
edited
Loading

FWIW I have a passcode option in DataGrab already. It doesn't do anything with throttling... it's just used as a bit of an additional security step so an import can't arbitrarily be executed by someone guessing the ACT id.

It's possible the throttle_exempt and passcode options for the actions request could be used independently too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@litzinger @intoeetive @matthewjohns0n @jHards