SECURITY: Rate limit the creation of backups

2025-02-25 18:55:32 -06:00 · 2023-03-14 17:07:18 +01:00
parent 272c31023d
commit 0bd64788d2
4 changed files with 78 additions and 22 deletions
--- a/spec/lib/backup_restore/backuper_spec.rb
+++ b/spec/lib/backup_restore/backuper_spec.rb
@@ -1,18 +1,20 @@
 # frozen_string_literal: true

 RSpec.describe BackupRestore::Backuper do
-  it "returns a non-empty parameterized title when site title contains unicode" do
-    SiteSetting.title = "Ɣ"
-    backuper = BackupRestore::Backuper.new(Discourse.system_user.id)
+  describe "#get_parameterized_title" do
+    it "returns a non-empty parameterized title when site title contains unicode" do
+      SiteSetting.title = "Ɣ"
+      backuper = BackupRestore::Backuper.new(Discourse.system_user.id)

-    expect(backuper.send(:get_parameterized_title)).to eq("discourse")
-  end
+      expect(backuper.send(:get_parameterized_title)).to eq("discourse")
+    end

-  it "returns a valid parameterized site title" do
-    SiteSetting.title = "Coding Horror"
-    backuper = BackupRestore::Backuper.new(Discourse.system_user.id)
+    it "returns a valid parameterized site title" do
+      SiteSetting.title = "Coding Horror"
+      backuper = BackupRestore::Backuper.new(Discourse.system_user.id)

-    expect(backuper.send(:get_parameterized_title)).to eq("coding-horror")
+      expect(backuper.send(:get_parameterized_title)).to eq("coding-horror")
+    end
  end

  describe "#notify_user" do
@@ -69,4 +71,32 @@ RSpec.describe BackupRestore::Backuper do
      )
    end
  end
+
+  describe "#run" do
+    subject(:run) { backup.run }
+
+    let(:backup) { described_class.new(user.id) }
+    let(:user) { Discourse.system_user }
+    let(:store) { backup.store }
+
+    before { backup.stubs(:success).returns(success) }
+
+    context "when the result isn't successful" do
+      let(:success) { false }
+
+      it "doesn't refresh disk stats" do
+        store.expects(:reset_cache).never
+        run
+      end
+    end
+
+    context "when the result is successful" do
+      let(:success) { true }
+
+      it "refreshes disk stats" do
+        store.expects(:reset_cache)
+        run
+      end
+    end
+  end
 end
--- a/spec/requests/admin/backups_controller_spec.rb
+++ b/spec/requests/admin/backups_controller_spec.rb
@@ -137,7 +137,10 @@ RSpec.describe Admin::BackupsController do

  describe "#create" do
    context "when logged in as an admin" do
-      before { sign_in(admin) }
+      before do
+        sign_in(admin)
+        BackupRestore.stubs(:backup!)
+      end

      it "starts a backup" do
        BackupRestore.expects(:backup!).with(
@@ -149,6 +152,22 @@ RSpec.describe Admin::BackupsController do

        expect(response.status).to eq(200)
      end
+
+      context "with rate limiting enabled" do
+        before do
+          RateLimiter.clear_all!
+          RateLimiter.enable
+        end
+
+        after { RateLimiter.disable }
+
+        it "is rate limited" do
+          post "/admin/backups.json", params: { with_uploads: false, client_id: "foo" }
+          post "/admin/backups.json", params: { with_uploads: false, client_id: "foo" }
+
+          expect(response).to have_http_status :too_many_requests
+        end
+      end
    end

    shared_examples "backups creation not allowed" do