Skip to content

fix(security): harden rate limiter proxy handling#246

Open
changliuchang777 wants to merge 1 commit into
StableRoute-Org:mainfrom
changliuchang777:security/rate-limit-08-trusted-client-ip
Open

fix(security): harden rate limiter proxy handling#246
changliuchang777 wants to merge 1 commit into
StableRoute-Org:mainfrom
changliuchang777:security/rate-limit-08-trusted-client-ip

Conversation

@changliuchang777

Copy link
Copy Markdown

Summary

  • add TRUST_PROXY parsing and configure Express trust proxy explicitly, defaulting to false
  • keep spoofed X-Forwarded-For ignored unless trusted proxy hops are configured
  • add lazy expired-bucket GC so stale rate-limit entries are removed even when clients never return
  • keep the existing Retry-After and 429 rate_limited response behavior unchanged
  • document TRUST_PROXY and add focused rate-limit tests for proxy parsing and lazy GC

Fixes #8

Validation

  • git diff --check passed except Git for Windows LF/CRLF warnings
  • npm test -- --runInBand src/__tests__/rateLimit.test.ts blocked by existing baseline parse error in src/index.ts: duplicate WEBHOOK_MAX_EVENTS
  • npm run build blocked by existing baseline TypeScript errors in src/index.ts and src/__tests__/store.adapter.test.ts
  • npm run lint blocked by existing baseline lint errors unrelated to this change

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Make the rate limiter resilient to spoofed X-Forwarded-For and unbounded memory

1 participant