restrict actionquery

planetarium · Sep 14, 2023 · df425ea · df425ea
1 parent 407c21c
commit df425ea
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/NineChronicles.Headless.Executable/appsettings.json b/NineChronicles.Headless.Executable/appsettings.json
@@ -108,14 +108,19 @@
                 "Endpoint": "*:/graphql/stagetransaction",
                 "Period": "60s",
                 "Limit": 12
+            },
+            {
+                "Endpoint": "*:/graphql/actionquery",
+                "Period": "600s",
+                "Limit": 1
             }
         ],
         "QuotaExceededResponse": {
             "Content": "{{ \"message\": \"Whoa! Calm down, cowboy!\", \"details\": \"Quota exceeded. Maximum allowed: {0} per {1}. Please try again in {2} second(s).\" }}",
             "ContentType": "application/json",
             "StatusCode": 429
         },
-        "IpBanThresholdCount": 10,
+        "IpBanThresholdCount": 5,
         "IpBanMinute" : 60,
         "IpBanResponse": {
             "Content": "{ \"message\": \"Your Ip has been banned.\" }",

diff --git a/NineChronicles.Headless/Middleware/CustomRateLimitMiddleware.cs b/NineChronicles.Headless/Middleware/CustomRateLimitMiddleware.cs
@@ -52,6 +52,11 @@ public override async Task<ClientRequestIdentity> ResolveIdentityAsync(HttpConte
                     identity.Path = "/graphql/stagetransaction";
                 }
 
+                if (body.Contains("actionQuery{hackAndSlash"))
+                {
+                    identity.Path = "/graphql/actionquery";
+                }
+
                 return identity;
             }