-
-
Notifications
You must be signed in to change notification settings - Fork 6.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security vulnerability: bypass throttling #8127
Comments
So, this has come up a bunch of times... The throttling isn't intended as a security feature, and will have some fuzziness. It's not so much "thread-safety", as it is to do with using a non-transactional approach when reading/writing the throttling history. (because the cache backends don't have any obvious way to support transactions.) We read the throttle history from the cache, do a bit of work to determine what the new history should be, and then store that... https://github.com/encode/django-rest-framework/blob/master/rest_framework/throttling.py#L123-L132 There's plenty of scope for someone to implement an alternative throttle that does have locking, but it's not obvious to me what a good approach would be? Looking into this a bit - Redis supports named locks, and the |
I'm following this |
I don't think this is caused by non-transactional. It's that the code doesn't consider thread-safety In https://github.com/encode/django-rest-framework/blob/master/rest_framework/throttling.py#L123-L132 At start, When requesting concurrently, it is possible for multiple threads to pass through this line of code( Then self.history == [],so will |
Each request will end up with a clean throttle instance, they're not shared between requests. |
But each time the value of self.history is sourced from the cache, It is equivalent to a global array. When determining and modifying a value is not an atomic operation, it will inevitably lead to bypass problems |
Exactly, yes. A |
I sent an email a long time ago, but there was no response.
Because the throttling is not thread-safe, I can bypass the throttling via concurrency request.
this is my example code
this is my concurrency test
this is result
The text was updated successfully, but these errors were encountered: