Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(core): Rate limit MFA activation and verification endpoints #10330

Merged
merged 1 commit into from
Aug 8, 2024

Conversation

netroy
Copy link
Member

@netroy netroy commented Aug 8, 2024

Summary

Right now it is possible to enumerate MFA endpoints. Since there is no real use-case where someone needs to make repeated calls to these endpoints, we should rate-limit them

Related Linear tickets, Github issues, and Community forum posts

SEC-71

Review / Merge checklist

  • PR title and summary are descriptive
  • Tests included

Copy link
Contributor

@tomi tomi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

Copy link
Contributor

github-actions bot commented Aug 8, 2024

✅ All Cypress E2E specs passed

Copy link

cypress bot commented Aug 8, 2024



Test summary

395 0 0 0Flakiness 0


Run details

Project n8n
Status Passed
Commit f330449
Started Aug 8, 2024 12:52 PM
Ended Aug 8, 2024 12:57 PM
Duration 04:44 💡
OS Linux Debian -
Browser Electron 118

View run in Cypress Cloud ➡️


This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. You can manage this integration in this project's settings in the Cypress Cloud

@n8n-assistant n8n-assistant bot added core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team labels Aug 8, 2024
@netroy netroy merged commit b6c47c0 into master Aug 8, 2024
28 checks passed
@netroy netroy deleted the SEC-71-rate-limit-more-endpoints branch August 8, 2024 13:01
MiloradFilipovic added a commit that referenced this pull request Aug 9, 2024
* master:
  fix(core): Prevent XSS via static cache dir (#10339)
  fix(editor): Enable credential sharing between all types of projects (#10233)
  refactor(core): Extract webhook request handler to own file (#10301)
  feat: Allow sharing to and from team projects (no-changelog) (#10144)
  refactor(editor): Convert ChangePasswordModal to composition api (no-changelog) (#10337)
  docs: Change display name for WhatsApp Trigger API Credential (#10334)
  fix(core): Do not load ScalingService in regular mode (no-changelog) (#10333)
  docs: Update wording in X credentials (#10327)
  fix(editor): Fixing XSS vulnerability in toast messages (#10329)
  fix(core): Rate limit MFA activation and verification endpoints (#10330)
  refactor(core): Decouple emailing and workflow sharing from internal hooks (no-changelog) (#10326)
  refactor(core): Stop reporting disk I/O error to Sentry (no-changelog) (#10324)
@github-actions github-actions bot mentioned this pull request Aug 14, 2024
@janober
Copy link
Member

janober commented Aug 15, 2024

Got released with n8n@1.55.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team Released
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants