Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GREEN-40: add debug endpoints behind debug middleware #15

Merged
merged 1 commit into from
May 2, 2024
Merged

GREEN-40: add debug endpoints behind debug middleware #15

merged 1 commit into from
May 2, 2024

Conversation

akirapham
Copy link
Contributor

@linear Linear
Copy link

linear bot commented May 1, 2024

GREEN-40 Put Archiver debug endpoints behind debug middleware

See /removed endpoint for example

  • nestedCounters.ts
  • memoryReporting.ts
  • profiler.ts

github-advanced-security[bot]
github-advanced-security bot found potential problems May 1, 2024
View reviewed changes
src/profiler/memoryReporting.ts
Comment on lines +88 to +102
(req, res) => {
const top = spawn('top', ['-n', '10'])
top.stdout.on('data', (dataBuffer) => {
res.send(dataBuffer.toString())
top.kill()
})
top.on('close', (code) => {
console.log(`child process exited with code ${code}`)
})
top.stderr.on('data', (data) => {
console.log('top command error', data)
res.send('top command error')
top.kill()
})
}

Check failure

Code scanning / CodeQL

Missing rate limiting High

This route handler performs
a system command
Loading
, but is not rate-limited.

Copilot Autofix AI 6 months ago

The best way to fix the problem is to add rate limiting to the route handlers that perform system commands. This can be done by using a rate limiting middleware such as fastify-rate-limit.

The fastify-rate-limit package provides a rate limiting middleware for Fastify applications. It can be used to limit the rate at which requests are accepted, thus preventing denial-of-service attacks.

To fix the problem, you need to install the fastify-rate-limit package and use it in your Fastify application. You can do this by adding the fastify-rate-limit import at the top of your file, initializing the rate limiter, and then applying it to your Fastify server with the register method.

The rate limiter can be configured with various options such as max (the maximum number of requests allowed in the time window), timeWindow (the duration of the time window), and allowList (an array of IP addresses that are not subject to rate limiting).

In this case, you can set max to a reasonable number that allows your application to handle the expected load but prevents excessive requests. The timeWindow can be set to '1 minute' to limit the rate of requests per minute. You can leave the allowList empty if you want to apply rate limiting to all clients.

Suggested changeset 2
src/profiler/memoryReporting.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/profiler/memoryReporting.ts b/src/profiler/memoryReporting.ts
--- a/src/profiler/memoryReporting.ts
+++ b/src/profiler/memoryReporting.ts
@@ -4,2 +4,3 @@
 import * as fastify from 'fastify'
+import rateLimit from 'fastify-rate-limit'
 import { resourceUsage } from 'process'
@@ -80,2 +81,7 @@
 
+    this.server.register(rateLimit, {
+      max: 100, // max 100 requests per 1 minute
+      timeWindow: '1 minute'
+    })
+
     this.server.get(
EOF
@@ -4,2 +4,3 @@
import * as fastify from 'fastify'
import rateLimit from 'fastify-rate-limit'
import { resourceUsage } from 'process'
@@ -80,2 +81,7 @@

this.server.register(rateLimit, {
max: 100, // max 100 requests per 1 minute
timeWindow: '1 minute'
})

this.server.get(
package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -91,3 +91,4 @@
     "streamroller": "^3.1.3",
-    "tydb": "^0.1.5"
+    "tydb": "^0.1.5",
+    "fastify-rate-limit": "^5.9.0"
   },
EOF
@@ -91,3 +91,4 @@
"streamroller": "^3.1.3",
"tydb": "^0.1.5"
"tydb": "^0.1.5",
"fastify-rate-limit": "^5.9.0"
},
This fix introduces these dependencies
Package Version Security advisories
fastify-rate-limit (npm) 5.9.0 None
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
src/profiler/memoryReporting.ts
Comment on lines +112 to +126
(req, res) => {
const df = spawn('df')
df.stdout.on('data', (dataBuffer) => {
res.send(dataBuffer.toString())
df.kill()
})
df.on('close', (code) => {
console.log(`child process exited with code ${code}`)
})
df.stderr.on('data', (data) => {
console.log('df command error', data)
res.send('df command error')
df.kill()
})
}

Check failure

Code scanning / CodeQL

Missing rate limiting High

This route handler performs
a system command
Loading
, but is not rate-limited.

Copilot Autofix AI 6 months ago

The best way to fix the problem is to add rate limiting to the route handler that performs the system command. This can be done by using a rate limiting middleware such as fastify-rate-limit.

Here are the steps to fix the problem:

  1. Install the fastify-rate-limit package.
  2. Import the fastify-rate-limit package in the src/profiler/memoryReporting.ts file.
  3. Register the fastify-rate-limit plugin with the Fastify instance.
  4. Configure the rate limit options. For example, you can limit the number of requests to 100 per 15 minutes.
Suggested changeset 2
src/profiler/memoryReporting.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/profiler/memoryReporting.ts b/src/profiler/memoryReporting.ts
--- a/src/profiler/memoryReporting.ts
+++ b/src/profiler/memoryReporting.ts
@@ -4,2 +4,3 @@
 import * as fastify from 'fastify'
+import rateLimit from 'fastify-rate-limit'
 import { resourceUsage } from 'process'
@@ -41,2 +42,6 @@
   registerEndpoints(): void {
+    this.server.register(rateLimit, {
+      max: 100, // max number of connections during windowMs milliseconds before sending a 429 response
+      timeWindow: '15 minutes' // duration of the window for max connections
+    })
     this.server.get(
EOF
@@ -4,2 +4,3 @@
import * as fastify from 'fastify'
import rateLimit from 'fastify-rate-limit'
import { resourceUsage } from 'process'
@@ -41,2 +42,6 @@
registerEndpoints(): void {
this.server.register(rateLimit, {
max: 100, // max number of connections during windowMs milliseconds before sending a 429 response
timeWindow: '15 minutes' // duration of the window for max connections
})
this.server.get(
package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -91,3 +91,4 @@
     "streamroller": "^3.1.3",
-    "tydb": "^0.1.5"
+    "tydb": "^0.1.5",
+    "fastify-rate-limit": "^5.9.0"
   },
EOF
@@ -91,3 +91,4 @@
"streamroller": "^3.1.3",
"tydb": "^0.1.5"
"tydb": "^0.1.5",
"fastify-rate-limit": "^5.9.0"
},
This fix introduces these dependencies
Package Version Security advisories
fastify-rate-limit (npm) 5.9.0 None
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@jairajdev jairajdev merged commit 199f869 into dev May 2, 2024
1 of 2 checks passed
@jairajdev jairajdev deleted the GREEN-40-debug-endpoints-behind-middleware branch May 2, 2024 14:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jairajdev jairajdev jairajdev approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@akirapham @jairajdev