Minimum length validation for the recaptcha token param #462
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
grosser
reviewed
Jan 13, 2025
| @@ -588,7 +588,7 @@ Recaptcha.configure do |config| | |||
| config.secret_key = '6Lc6BAAAAAAAAKN3DRm6VA_xxxxxxxxxxxxxxxxx' | |||
| config.verify_url = 'https://hcaptcha.com/siteverify' | |||
| config.api_server_url = 'https://hcaptcha.com/1/api.js' | |||
| config.response_limit = 100000 | |||
There was a problem hiding this comment.
that would break anyone already using that field, how about adding response_minimum = 100 instead ?
test/verify_enterprise_test.rb
Outdated
| @@ -180,7 +180,7 @@ def initialize | |||
| assert_equal "reCAPTCHA verification failed, please try again.", @controller.flash[:recaptcha_error] | |||
| end | |||
|
|
|||
| it "does not verify via http call when response length exceeds G_RESPONSE_LIMIT" do | |||
| it "does not verify via http call when response length exceeds G_RESPONSE_MAX_LIMIT" do | |||
There was a problem hiding this comment.
don't think this should change, the name references the var we send to recapcha ... possibly should just be rewritten to "exceeds limit"
grosser
approved these changes
Jan 14, 2025
|
🤦 ci was not working and this looked harmless :D |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add minimum length validation for the recaptcha token param
Reason:
#461
Spammers can pass random value for the token param (ex: g-recaptcha-response) which can increase the API validation call to recaptcha, consequently incurring more cost.
Most of the Spam attacks we observed attacher sending 1-10 length chars.
It is good to have minimum length 100, validation check to avoid unnecessary API calls to recaptcha.