API rate limiting is bypassable

[TobiasGrether]

As outlined by this tweet here, the API rate limiting seems to be bypassable by switching the casing of API endpoints.

I wasn't able to find a proper way to report security issues, so I assumed creating this issue here is a proper place to do so. I believe this should be fixed quickly, especially as some endpoints can be abused if no proper rate-limiting policy is enforced (f.e. auth endpoints & brute-forcing logins).

Kind regards, Tobias Grether

[fynngodau]

In the security concept, I read that "[…] the Luca Server does not log any IP addresses[…]"[0][1]. How does an IP-based rate limiting work without storing any IP addresses? Is the statement in the security concept meant to apply only to a specific context? I read it as to mean that it applies globally, to all queries towards the Luca server. Please clarify, thanks.

[AmazingTurtle]

To achieve rate limiting you don't need to log the data, you can use redis (in-memory data structure store, used as a database, cache, and message broker). It's most likely that they use a cache like redis here because everything else doesn't make too much sense. Logging is not caching. Logging is persistent. Caching is not (it's in volatile memory).

@fynngodau

[FrankGrimm]

Without further clarification I assumed "the fact that the Luca Server does not log any IP addresses" (from [0] above) to mean that they do in fact refrain from storing the IP at all beyond where it is necessary to fulfill the client's request to their server.

The privacy policy on the other hand clearly states that they do log "temporary usage data" (which includes IPs and more) persistently, to files, for up to 7 days.

Looks like just another case where the docs aren't reflecting reality.

[derhuerst]

I don't know about which mechanism they have in place, but it is possible to rate-limit by a salted hash of the client IP (or even a substring of it).

[rvnstn]

This issues seems to be fixed.

[ksaadDE]

I don't know about which mechanism they have in place, but it is possible to rate-limit by a salted hash of the client IP (or even a substring of it).

Which leads to the fact that you would still store and use some data for your "Security" Purposes. I like the idea of hashing (surely salted) it. But yup there are some complex mechanisms where you don't have to store the IP or something like that, which leads to traffic analysis. But it's surely more invasive (to some point).

Salted Hash of the IP is "okay", depending on the salt and the Hashing Algorithm (and how the Storage itself is protected and how long it stores data...) Complex Field.