SECURITY: Add rate limits for uploads

app/controllers/uploads_controller.rb

@@ -25,6 +25,13 @@ def create
     # capture current user for block later on
     me = current_user
 
+    RateLimiter.new(
+      current_user,
+      "uploads-per-minute",
+      SiteSetting.max_uploads_per_minute,
+      1.minute.to_i,
+    ).performed!
+
     params.permit(:type, :upload_type)
     raise Discourse::InvalidParameters if params[:type].blank? && params[:upload_type].blank?
     # 50 characters ought to be enough for the upload type

config/site_settings.yml

@@ -2228,6 +2228,9 @@ rate_limits:
   max_complete_multipart_per_minute:
     default: 10
     hidden: true
+  max_uploads_per_minute:
+    default: 10
+    hidden: true
 
 developer:
   force_hostname:

spec/requests/uploads_controller_spec.rb

@@ -19,6 +19,32 @@
       let(:fake_jpg) { Rack::Test::UploadedFile.new(file_from_fixtures("fake.jpg")) }
       let(:text_file) { Rack::Test::UploadedFile.new(File.new("#{Rails.root}/LICENSE.txt")) }
 
+      context "when rate limited" do
+        before { RateLimiter.enable }
+
+        use_redis_snapshotting
+
+        it "should return 429 response code when maximum number of uploads per minute has been exceeded for a user" do
+          SiteSetting.max_uploads_per_minute = 1
+
+          post "/uploads.json",
+               params: {
+                 file: Rack::Test::UploadedFile.new(logo_file),
+                 type: "avatar",
+               }
+
+          expect(response.status).to eq(200)
+
+          post "/uploads.json",
+               params: {
+                 file: Rack::Test::UploadedFile.new(logo_file),
+                 type: "avatar",
+               }
+
+          expect(response.status).to eq(429)
+        end
+      end
+
       it "expects a type or upload_type" do
         post "/uploads.json", params: { file: logo }
         expect(response.status).to eq(400)