unibus

dataforge/unibus

Fork 0

Commit Graph

Author	SHA1	Message	Date
egutierrez	0b96c114b6	feat(membership): trust reverse-proxy forwarded client IP for rate limit The per-IP rate limiter keys on the transport RemoteAddr. Behind the same-origin Caddy proxy that fronts the control plane, every request arrives with the proxy's single IP, which collapses the limiter into one bucket shared by the whole world — a flood from one client throttles all of them. Add an opt-in `--trusted-proxies` flag (comma-separated IPs/CIDRs). When the immediate peer is one of the named proxies, clientIP now believes its X-Forwarded-For (read right-to-left, skipping trusted hops) or X-Real-IP and keys on the real client. A direct, non-trusted peer's forwarding headers are ignored entirely, so this opens no quota-fanning hole: an attacker connecting straight to the public :8470 cannot spoof a key. The zero value (no flag) preserves the prior RemoteAddr-only behavior exactly. Covered by ratelimit_proxy_test.go: trusted vs untrusted peers, XFF right-to-left precedence, client-prepended forgery, X-Real-IP fallback, and rejection of malformed proxy entries. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-14 12:29:57 +02:00
egutierrez	60d6a86655	feat(membership): bound request bodies and add per-IP rate limit Pre-auth DoS hardening (audit H1, Critical). The control-plane middleware read the request body with io.ReadAll before authenticating and with no size cap, so an unauthenticated peer could force the server to buffer an arbitrary body in RAM (the auditor sent 400 MB and watched RSS climb to ~898 MB). - ServeHTTP now caps the buffered body before reading: a per-route ceiling (1 MiB JSON, 16 MiB /blobs) rejects an over-declared Content-Length outright and wraps the body in http.MaxBytesReader so a lying/chunked sender trips at the ceiling instead of unbounded. - handlePutBlob maps the MaxBytesReader cutoff to 413 in every auth mode. - Per-IP token-bucket rate limiter (golang.org/x/time/rate, already in the module graph) sheds floods before auth or body reads. Loopback dev stacks are unaffected (burst >> any single client's rate). Kept in-package as transport glue, not promoted to the registry, mirroring the nonceCache decision in 0003. - membershipd sets http.Server.MaxHeaderBytes and ReadHeaderTimeout. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-07 14:16:04 +02:00

Author

SHA1

Message

Date

egutierrez

0b96c114b6

feat(membership): trust reverse-proxy forwarded client IP for rate limit

The per-IP rate limiter keys on the transport RemoteAddr. Behind the
same-origin Caddy proxy that fronts the control plane, every request
arrives with the proxy's single IP, which collapses the limiter into one
bucket shared by the whole world — a flood from one client throttles all
of them.

Add an opt-in `--trusted-proxies` flag (comma-separated IPs/CIDRs). When
the immediate peer is one of the named proxies, clientIP now believes its
X-Forwarded-For (read right-to-left, skipping trusted hops) or X-Real-IP
and keys on the real client. A direct, non-trusted peer's forwarding
headers are ignored entirely, so this opens no quota-fanning hole: an
attacker connecting straight to the public :8470 cannot spoof a key. The
zero value (no flag) preserves the prior RemoteAddr-only behavior exactly.

Covered by ratelimit_proxy_test.go: trusted vs untrusted peers, XFF
right-to-left precedence, client-prepended forgery, X-Real-IP fallback,
and rejection of malformed proxy entries.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-14 12:29:57 +02:00

egutierrez

60d6a86655

feat(membership): bound request bodies and add per-IP rate limit

Pre-auth DoS hardening (audit H1, Critical). The control-plane middleware
read the request body with io.ReadAll before authenticating and with no size
cap, so an unauthenticated peer could force the server to buffer an arbitrary
body in RAM (the auditor sent 400 MB and watched RSS climb to ~898 MB).

- ServeHTTP now caps the buffered body before reading: a per-route ceiling
  (1 MiB JSON, 16 MiB /blobs) rejects an over-declared Content-Length outright
  and wraps the body in http.MaxBytesReader so a lying/chunked sender trips at
  the ceiling instead of unbounded.
- handlePutBlob maps the MaxBytesReader cutoff to 413 in every auth mode.
- Per-IP token-bucket rate limiter (golang.org/x/time/rate, already in the
  module graph) sheds floods before auth or body reads. Loopback dev stacks are
  unaffected (burst >> any single client's rate). Kept in-package as transport
  glue, not promoted to the registry, mirroring the nonceCache decision in 0003.
- membershipd sets http.Server.MaxHeaderBytes and ReadHeaderTimeout.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-07 14:16:04 +02:00

2 Commits