From acd0a0fcf62361a50d1c6039c4d3648298a52607 Mon Sep 17 00:00:00 2001 From: Obsidian <123307773+LightZirconite@users.noreply.github.com> Date: Sat, 15 Nov 2025 14:48:43 +0100 Subject: [PATCH] Potential fix for code scanning alert no. 21: Missing rate limiting Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Obsidian <123307773+LightZirconite@users.noreply.github.com> --- package.json | 3 ++- src/dashboard/server.ts | 10 ++++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index 3ec054b..e5e585f 100644 --- a/package.json +++ b/package.json @@ -87,6 +87,7 @@ "rebrowser-playwright": "1.52.0", "socks-proxy-agent": "^8.0.5", "ts-node": "^10.9.2", - "ws": "^8.18.3" + "ws": "^8.18.3", + "express-rate-limit": "^8.2.1" } } \ No newline at end of file diff --git a/src/dashboard/server.ts b/src/dashboard/server.ts index fad0aab..e5aea8a 100644 --- a/src/dashboard/server.ts +++ b/src/dashboard/server.ts @@ -3,6 +3,7 @@ import fs from 'fs' import { createServer } from 'http' import path from 'path' import { WebSocket, WebSocketServer } from 'ws' +import rateLimit from 'express-rate-limit' import { log as botLog } from '../util/notifications/Logger' import { apiRouter } from './routes' import { DashboardLog, dashboardState } from './state' @@ -20,7 +21,12 @@ export class DashboardServer { private server: ReturnType private wss: WebSocketServer private clients: Set = new Set() - + private dashboardLimiter = rateLimit({ + windowMs: 15 * 60 * 1000, // 15 minutes + max: 100, // limit each IP to 100 requests per windowMs for dashboard UI + standardHeaders: true, + legacyHeaders: false, + }) constructor() { this.app = express() this.server = createServer(this.app) @@ -69,7 +75,7 @@ export class DashboardServer { }) // Serve dashboard UI - this.app.get('/', (_req, res) => { + this.app.get('/', this.dashboardLimiter, (_req, res) => { const indexPath = path.join(__dirname, '../../public/index.html') // Force no cache on HTML files