Skip to content

fix(security): resolve DoS vulnerability and rate limit bypass in badge rate limiter (#3120)#3142

Open
desireddymohithreddy0925 wants to merge 1 commit into
Priyanshu-byte-coder:mainfrom
desireddymohithreddy0925:fix/badge-rate-limiter
Open

fix(security): resolve DoS vulnerability and rate limit bypass in badge rate limiter (#3120)#3142
desireddymohithreddy0925 wants to merge 1 commit into
Priyanshu-byte-coder:mainfrom
desireddymohithreddy0925:fix/badge-rate-limiter

Conversation

@desireddymohithreddy0925

Copy link
Copy Markdown
Contributor

Summary

Optimizes the rate limiter's sliding window cleanup process to prevent CPU-based Denial of Service, and patches a bypass vulnerability caused by trusting spoofed client headers.

Closes #3120


Type of Change

  • 🔒 Security fix
  • ⚡ Performance improvement

What Changed

  • Throttled the pruneStore execution in src/lib/badge-rate-limit.ts to run once per minute, preventing CPU exhaustion from full-map scans on every request.
  • Removed blind trust of the x-forwarded-for header in getBadgeClientIp. Now prioritizes secure Edge/Vercel trusted IP headers and native connection IPs.

@github-actions github-actions Bot added type:bug GSSoC type bonus: bug fix type:feature GSSoC type bonus: new feature type:performance GSSoC type bonus: performance (+15 pts) gssoc26 GSSoC 2026 contribution type:security GSSoC type bonus: security (+20 pts) labels Jul 5, 2026
@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

  • level:beginner — 20 pts
  • level:intermediate — 35 pts
  • level:advanced — 55 pts
  • level:critical — 80 pts

Quality (optional):

  • quality:clean — ×1.2 multiplier
  • quality:exceptional — ×1.5 multiplier

Validation (required to score):

  • gssoc:approved — counts for points
  • gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gssoc26 GSSoC 2026 contribution type:bug GSSoC type bonus: bug fix type:feature GSSoC type bonus: new feature type:performance GSSoC type bonus: performance (+15 pts) type:security GSSoC type bonus: security (+20 pts)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] Denial of Service (DoS) Vulnerability and Rate Limit Bypass in Badge Rate Limiter

1 participant