security vulnerability: bypass throttling #8127
Comments
|
So, this has come up a bunch of times... The throttling isn't intended as a security feature, and will have some fuzziness. It's not so much "thread-safety", as it is to do with using a non-transactional approach when reading/writing the throttling history. (because the cache backends don't have any obvious way to support transactions.) We read the throttle history from the cache, do a bit of work to determine what the new history should be, and then store that... https://github.com/encode/django-rest-framework/blob/master/rest_framework/throttling.py#L123-L132 There's plenty of scope for someone to implement an alternative throttle that does have locking, but it's not obvious to me what a good approach would be? Looking into this a bit - Redis supports named locks, and the |
|
I'm following this |
|
I don't think this is caused by non-transactional. It's that the code doesn't consider thread-safety In https://github.com/encode/django-rest-framework/blob/master/rest_framework/throttling.py#L123-L132 At start, When requesting concurrently, it is possible for multiple threads to pass through this line of code( Then self.history == [],so will |
|
Each request will end up with a clean throttle instance, they're not shared between requests. |
|
But each time the value of self.history is sourced from the cache, It is equivalent to a global array. When determining and modifying a value is not an atomic operation, it will inevitably lead to bypass problems |
Exactly, yes. A |
I sent an email a long time ago, but there was no response.
Because the throttling is not thread-safe, I can bypass the throttling via concurrency request.
this is my example code
this is my concurrency test
this is result
The text was updated successfully, but these errors were encountered: