From 8db38de9d7d47b8c931ae0cc409c5550e37653b7 Mon Sep 17 00:00:00 2001 From: Sam Saffron Date: Tue, 20 Aug 2019 11:29:11 +1000 Subject: [PATCH] SECURITY: add rate limiting to anon JS error reporting This adds a 1 minute rate limit to all JS error reporting per IP. Previously we would only use the global rate limit. This also introduces DISCOURSE_ENABLE_JS_ERROR_REPORTING, if it is set to false then no JS error reporting will be allowed on the site. --- Gemfile.lock | 2 +- .../javascripts/preload-application-data.js.no-module.es6 | 3 +++ app/helpers/application_helper.rb | 1 + config/discourse_defaults.conf | 3 +++ config/initializers/100-logster.rb | 1 + 5 files changed, 9 insertions(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 228da02713a..4732569ec1e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -169,7 +169,7 @@ GEM logstash-event (1.2.02) logstash-logger (0.26.1) logstash-event (~> 1.2) - logster (2.3.1) + logster (2.3.2) loofah (2.2.3) crass (~> 1.0.2) nokogiri (>= 1.5.9) diff --git a/app/assets/javascripts/preload-application-data.js.no-module.es6 b/app/assets/javascripts/preload-application-data.js.no-module.es6 index fd22628ae09..f78ea11367f 100644 --- a/app/assets/javascripts/preload-application-data.js.no-module.es6 +++ b/app/assets/javascripts/preload-application-data.js.no-module.es6 @@ -12,6 +12,9 @@ var setupData = document.getElementById("data-discourse-setup").dataset; + window.Logster = window.Logster || {}; + window.Logster.enabled = setupData.enableJsErrorReporting === "true"; + Discourse.CDN = setupData.cdn; Discourse.BaseUrl = setupData.baseUrl; Discourse.BaseUri = setupData.baseUri; diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index 9b5337e7cbd..a440e726c4f 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -475,6 +475,7 @@ module ApplicationHelper disable_custom_css: loading_admin?, highlight_js_path: HighlightJs.path, svg_sprite_path: SvgSprite.path(theme_ids), + enable_js_error_reporting: GlobalSetting.enable_js_error_reporting, } if Rails.env.development? diff --git a/config/discourse_defaults.conf b/config/discourse_defaults.conf index dd4587acc39..c3fc12db940 100644 --- a/config/discourse_defaults.conf +++ b/config/discourse_defaults.conf @@ -256,3 +256,6 @@ maxmind_backup_path = # X-Queue-Time: 1.01 enable_performance_http_headers = false +# gather JavaScript errors from clients (rate limited to 1 error per IP per minute) +enable_js_error_reporting = true + diff --git a/config/initializers/100-logster.rb b/config/initializers/100-logster.rb index 06e6ba66b9c..99873698087 100644 --- a/config/initializers/100-logster.rb +++ b/config/initializers/100-logster.rb @@ -104,6 +104,7 @@ Logster.config.subdirectory = "#{GlobalSetting.relative_url_root}/logs" Logster.config.application_version = Discourse.git_version Logster.config.enable_custom_patterns_via_ui = true +Logster.config.enable_js_error_reporting = GlobalSetting.enable_js_error_reporting store = Logster.store redis = Logster.store.redis