narskidan
commented
11 months ago In case anyone suspects the rate limit applies to the IP address, rather than the API key, here's an experiment where we make a bunch of requests from curl using our normal clearnet IP, and then load star.market via Tor browser.
First, observe that Tor browser loads the Metrics Bar normally.
And then, after a bunch of requests, it goes awry!
This repo contains a Dune API key.
https://github.com/urbit/star.market/blob/1380164e0fc5823de8eddf427228006cecac3059/.mainnet-env#L4
The Dune API is rate limited like so:
In other words, if you send more than 40 requests using the free API key in this repo, that API will lose access to Dune (as long as you keep sending additional requests.
You can do so by just spamming
curlin a loop.With exactly the result you'd expect:
Sorry to check this using the live site. I happen to know from experience that, after exceeding your access limit, Dune restores API access within a minute or so, so there was nothing to fear. Nevertheless, in retrospect I should've ran star.market locally using my own free Dune API key.
Anyway, the rate limit was also reflected on star.market's live Metrics Bar component:
Everything remains at zero. Within a minute, of course, everything was restored to working order (still, again, apologies for inconsiderately testing this on the live site!).
How to fix
First, you might not even care to fix this. Like I said, it's really very insignificant. If you're okay with the risk of someone DoSing the metrics bar you can just toss this in the "not going to fix" bin.
If you do want to fix it? The wrong solution would be to focus on simply removing the API key from this codebase, but then adding it back in during build/deployment. Why is this bad? Because this code runs on the frontend. If you add the API key to the frontend code, the attacker could just open their requests tab and see the API key parameter passed to Dune.
Okay, so what if you performed the API call on the backend, and then loaded that into the page?
This would prevent the user from seeing the API key, but it would not prevent the DoS attack. The user could just load star.market over 40 times per minute, which would then launch the same number of requests to the Dune API on the backend, thus exceeding the rate limit and leading to the Metrics Bar showing all zero for anyone who visits the site.
To solve this, the backend would have to run a script that makes a request to Dune every few seconds (with the free API, a maximum of every 1.5 seconds, but you could do even less if you wanted) and saves this information in a cache. The backend would then access that cache and feed the data to the Metrics Bar via server-side rendering.
Sounds like a lot of work, but since this project already uses React, SSR is pretty simple using something like Nextjs. Or if you don't want to do all of that, you could just setup an API to query this cache, and access that API via the Metrics Bar.
Or you could just not fix it. Nevertheless, wanted to make you aware of the issue. I hope this was helpful!
PS: Sorry to report this via a public issue instead of via DM or email. However, given the harmlessness, I figured a regular ole issue would suffice.
If I overstepped, please do let me know and I'll be more cautious with future reports. Also, out of curiosity, what is the correct way to report vulnerabilities in this repo, should someone find something more serious in the future?