Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4569b53bad4fa685dbf7674fac6da220b9309f67
edx-platform/openedx
History
Tim McCormack a251d18281 feat!: Use more-trusted IP in rate-limiting (#241) 
Previously, our rate-limiting code trusted the entire `X-Forwarded-For`
header, allowing a malicious client to spoof that header and evade
rate-limiting. This commit introduces a new module and setting
allowing us to make a more conservative choice of IPs.

- Create new `openedx.core.djangoapps.util.ip` module for producing
  the IP "external chain" for requests based on the XFF header and the
  REMOTE_ADDR.
- Include a function that gives the safest choice of IPs.
- Add new setting `CLOSEST_CLIENT_IP_FROM_HEADERS` for configuring how
  the external chain is derived (i.e. setting the trust
  boundary). Currently has a default, but we may want to make it
  mandatory in the future.
- Change `django-ratelimit` code to use the proximate IP in the external
  chain -- the one just outside the trust boundary.

Also:

- Change `XForwardedForMiddleware` to use more conservative choice for
  its `REMOTE_ADDR` override
- Other adjustments to `XForwardedForMiddleware` as needed in order to
  initialize new module and support code that needs the real
  `REMOTE_ADDR` value
- Metrics for observability into the change (and XFF composition)
- Feature switch to restore legacy mode if needed

This also gives us a path forward to removing use of the django-ipware
package, which is no longer maintained and has a handful of bugs that make it
difficult to use safely.

Internal ticket: ARCHBOM-2056
2022-04-20 13:46:58 +00:00
..
core
feat!: Use more-trusted IP in rate-limiting (#241)
2022-04-20 13:46:58 +00:00
features
feat!: drop legacy courseware tab access for learners
2022-04-19 12:27:10 -04:00
testing
fix: fixed django40 warnings (#29641)
2022-02-25 16:24:51 +05:00
tests
feat!: drop legacy courseware tab access for learners
2022-04-19 12:27:10 -04:00
__init__.py
style: django-not-configured is not a sensible lint-amnesty value (#26862)
2021-03-05 08:11:58 -05:00
README.rst

README.rst 

Open edX
--------

This is the root package for Open edX. The intent is that all importable code
from Open edX will eventually live here, including the code in the lms, cms,
and common directories.

If you're adding a new Django app, place it in core/djangoapps. If you're adding
utilities that require Django, place them in core/djangolib.  If you're adding
code that defines no Django models or views of its own but is widely useful, put it
in core/lib.

Note: All new code should be created in this package, and the legacy code will
be moved here gradually. For now the code is not structured like this, and hence
legacy code will continue to live in a number of different packages.
Reference in New Issue View Git Blame Copy Permalink