Skip to content

Spurious params framework #1581

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
prioux merged 2 commits into from
Dec 2, 2025
Merged

Spurious params framework #1581

prioux merged 2 commits into from
Dec 2, 2025

Conversation

@prioux
Copy link
Member

@prioux prioux commented Nov 30, 2025
edited
Loading

This PR adds a new controller directive, 'spurious_params_ban_ip'. In a controller it would look like this:

spurious_params_ban_ip :credits => [], :about_us => []
spurious_params_ban_ip :credits  # same as with an explicit => []

spurious_params_ban_ip :login => [ :username, :password ]

spurious_params_ban_ip :new   => []

You provide to it the names of actions in the current controller, and a list of allowable parameters. If a GET or POST request is made with a bunch of unknown parameters, we know it's not a genuine client, so internally CBRAIN will ban the client's address. This entire mechanism is meant to be useful only for public-facing pages, not for for anything that happens to a logged-in client.

This PR comes with a bunch of pre-defined ban rules for all the public-facing pages.

Currently, to allow so wiggle room, banning happens when at least 3 spurious params are detected.

FOR CODE REVIEWERS: In a dev environement, you'll never end up actually banning yourself, so feel free to try as many weird params as you want. The messages about them will appear in the Rails logs.

@prioux prioux added Enhancement Security Admin Features or bugs related to administrative features labels Nov 30, 2025
@prioux
Adjusted allowed params for OIDC
9d86c62 
It seems we also get back a "scope" structure that
we don't actually use. Based on looking at historical
logs of the service.
@prioux
Copy link
Member Author

prioux commented Nov 30, 2025

I just went through all the logs for 2025 and double checked that the list of allowed params for the actions I am filtering in this PR is all ok. I found I missed the "code" params for OIDC action, so I added it as another commit.

natacha-beck
natacha-beck reviewed Dec 2, 2025
View reviewed changes
@prioux prioux self-assigned this Dec 2, 2025
@prioux prioux merged commit e004214 into aces:master Dec 2, 2025
1 check passed
@prioux prioux deleted the spurious_params branch December 2, 2025 20:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@natacha-beck natacha-beck natacha-beck left review comments

@MontrealSergiy MontrealSergiy Awaiting requested review from MontrealSergiy

Assignees

@prioux prioux

Labels

Admin Features or bugs related to administrative features Enhancement Security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@prioux @natacha-beck