From b38984a24fd9af4d5bc64aeabad958466c2798f9 Mon Sep 17 00:00:00 2001 From: David Teller Date: Tue, 28 Jun 2022 14:01:08 +0200 Subject: [PATCH 1/4] Rate limiting invites per issuer --- synapse/config/ratelimiting.py | 5 +++++ synapse/handlers/room_member.py | 20 ++++++++++++++++++-- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/synapse/config/ratelimiting.py b/synapse/config/ratelimiting.py index d4090a1f9ad5..f019825b3658 100644 --- a/synapse/config/ratelimiting.py +++ b/synapse/config/ratelimiting.py @@ -136,6 +136,11 @@ def read_config(self, config: JsonDict, **kwargs: Any) -> None: defaults={"per_second": 0.003, "burst_count": 5}, ) + self.rc_invites_per_issuer = RateLimitConfig( + config.get("rc_invites", {}).get("per_issuer", {}), + defaults={"per_second": 0.003, "burst_count": 5}, + ) + self.rc_third_party_invite = RateLimitConfig( config.get("rc_third_party_invite", {}), defaults={ diff --git a/synapse/handlers/room_member.py b/synapse/handlers/room_member.py index bf6bae123273..bc66576b4412 100644 --- a/synapse/handlers/room_member.py +++ b/synapse/handlers/room_member.py @@ -101,19 +101,33 @@ def __init__(self, hs: "HomeServer"): burst_count=hs.config.ratelimiting.rc_joins_remote.burst_count, ) + # Ratelimiter for invites, keyed by room (across all issuers, all + # recipients). self._invites_per_room_limiter = Ratelimiter( store=self.store, clock=self.clock, rate_hz=hs.config.ratelimiting.rc_invites_per_room.per_second, burst_count=hs.config.ratelimiting.rc_invites_per_room.burst_count, ) - self._invites_per_user_limiter = Ratelimiter( + + # Ratelimiter for invites, keyed by recipient (across all rooms, all + # issuers). + self._invites_per_recipient_limiter = Ratelimiter( store=self.store, clock=self.clock, rate_hz=hs.config.ratelimiting.rc_invites_per_user.per_second, burst_count=hs.config.ratelimiting.rc_invites_per_user.burst_count, ) + # Ratelimiter for invites, keyed by issuer (across all rooms, all + # recipients). + self._invites_per_issuer_limiter = Ratelimiter( + store=self.store, + clock=self.clock, + rate_hz=hs.config.ratelimiting.rc_invites_per_issuer.per_second, + burst_count=hs.config.ratelimiting.rc_invites_per_issuer.burst_count, + ) + self._third_party_invite_limiter = Ratelimiter( store=self.store, clock=self.clock, @@ -258,7 +272,9 @@ async def ratelimit_invite( if room_id: await self._invites_per_room_limiter.ratelimit(requester, room_id) - await self._invites_per_user_limiter.ratelimit(requester, invitee_user_id) + await self._invites_per_recipient_limiter.ratelimit(requester, invitee_user_id) + if requester is not None: + await self._invites_per_issuer_limiter.ratelimit(requester, requester.user) async def _local_membership_update( self, From cb37541d5b26ad60f45ee676fc2edde6923a2015 Mon Sep 17 00:00:00 2001 From: David Teller Date: Tue, 28 Jun 2022 14:04:22 +0200 Subject: [PATCH 2/4] WIP: ChangeLog Signed-off-by: David Teller --- changelog.d/13125.feature | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/13125.feature diff --git a/changelog.d/13125.feature b/changelog.d/13125.feature new file mode 100644 index 000000000000..156b7c37c250 --- /dev/null +++ b/changelog.d/13125.feature @@ -0,0 +1 @@ +Rate-limiting local invites by issuer. \ No newline at end of file From 064300e610bc763c7d98f6d6efcca5a90f5ac72d Mon Sep 17 00:00:00 2001 From: David Teller Date: Thu, 30 Jun 2022 07:26:56 +0200 Subject: [PATCH 3/4] WIP: Applied feedback --- synapse/config/ratelimiting.py | 2 +- synapse/handlers/room_member.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/synapse/config/ratelimiting.py b/synapse/config/ratelimiting.py index f019825b3658..4fc1784efe62 100644 --- a/synapse/config/ratelimiting.py +++ b/synapse/config/ratelimiting.py @@ -138,7 +138,7 @@ def read_config(self, config: JsonDict, **kwargs: Any) -> None: self.rc_invites_per_issuer = RateLimitConfig( config.get("rc_invites", {}).get("per_issuer", {}), - defaults={"per_second": 0.003, "burst_count": 5}, + defaults={"per_second": 0.3, "burst_count": 10}, ) self.rc_third_party_invite = RateLimitConfig( diff --git a/synapse/handlers/room_member.py b/synapse/handlers/room_member.py index bc66576b4412..5648ab4bf4c3 100644 --- a/synapse/handlers/room_member.py +++ b/synapse/handlers/room_member.py @@ -274,7 +274,7 @@ async def ratelimit_invite( await self._invites_per_recipient_limiter.ratelimit(requester, invitee_user_id) if requester is not None: - await self._invites_per_issuer_limiter.ratelimit(requester, requester.user) + await self._invites_per_issuer_limiter.ratelimit(requester) async def _local_membership_update( self, From 68b0ba26337d5da3b4d04899a2c6fca00facc239 Mon Sep 17 00:00:00 2001 From: reivilibre Date: Thu, 30 Jun 2022 10:21:30 +0100 Subject: [PATCH 4/4] Update changelog.d/13125.feature --- changelog.d/13125.feature | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog.d/13125.feature b/changelog.d/13125.feature index 156b7c37c250..9b0f60954128 100644 --- a/changelog.d/13125.feature +++ b/changelog.d/13125.feature @@ -1 +1 @@ -Rate-limiting local invites by issuer. \ No newline at end of file +Add a rate limit for local users sending invites. \ No newline at end of file