From 949404cd1aad8492ae0338130f16054adfa38ab7 Mon Sep 17 00:00:00 2001 From: Neel Kamath Date: Sun, 13 May 2018 16:37:56 +0530 Subject: Prevent fucking shit up --- server/src/core/rateLimiter.js | 103 +++++++++++++++ server/src/core/server.js | 282 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 385 insertions(+) create mode 100644 server/src/core/rateLimiter.js create mode 100644 server/src/core/server.js (limited to 'server/src/core') diff --git a/server/src/core/rateLimiter.js b/server/src/core/rateLimiter.js new file mode 100644 index 0000000..0c2a384 --- /dev/null +++ b/server/src/core/rateLimiter.js @@ -0,0 +1,103 @@ +/** + * Tracks frequency of occurances based on `id` (remote address), then allows or + * denies command execution based on comparison with `threshold` + * + * Version: v2.0.0 + * Developer: Marzavec ( https://github.com/marzavec ) + * License: WTFPL ( http://www.wtfpl.net/txt/copying/ ) + * + */ + +class Police { + /** + * Create a ratelimiter instance. + */ + constructor () { + this._records = {}; + this._halflife = 30 * 1000; // milliseconds + this._threshold = 25; + this._hashes = []; + } + + /** + * Finds current score by `id` + * + * @param {String} id target id / address + * @public + * + * @memberof Police + */ + search (id) { + let record = this._records[id]; + + if (!record) { + record = this._records[id] = { + time: Date.now(), + score: 0 + } + } + + return record; + } + + /** + * Adjusts the current ratelimit score by `deltaScore` + * + * @param {String} id target id / address + * @param {Number} deltaScore amount to adjust current score by + * @public + * + * @memberof Police + */ + frisk (id, deltaScore) { + let record = this.search(id); + + if (record.arrested) { + return true; + } + + record.score *= Math.pow(2, -(Date.now() - record.time ) / this._halflife); + record.score += deltaScore; + record.time = Date.now(); + + if (record.score >= this._threshold) { + return true; + } + + return false; + } + + /** + * Statically set server to no longer accept traffic from `id` + * + * @param {String} id target id / address + * @public + * + * @memberof Police + */ + arrest (id, hash) { + let record = this.search(id); + + record.arrested = true; + this._hashes[hash] = id; + } + + /** + * Remove statically assigned limit from `id` + * + * @param {String} id target id / address + * @public + * + * @memberof Police + */ + pardon (id) { + if (typeof this._hashes[id] !== 'undefined') { + id = this._hashes[id]; + } + + let record = this.search(id); + record.arrested = false; + } +} + +module.exports = Police; diff --git a/server/src/core/server.js b/server/src/core/server.js new file mode 100644 index 0000000..855aeba --- /dev/null +++ b/server/src/core/server.js @@ -0,0 +1,282 @@ +/** + * Main websocket server handling communications and connection events + * + * Version: v2.0.0 + * Developer: Marzavec ( https://github.com/marzavec ) + * License: WTFPL ( http://www.wtfpl.net/txt/copying/ ) + * + */ + +const wsServer = require('ws').Server; +const socketReady = require('ws').OPEN; +const crypto = require('crypto'); +const ipSalt = (Math.random().toString(36).substring(2, 16) + Math.random().toString(36).substring(2, (Math.random() * 16))).repeat(16); +const Police = require('./rateLimiter'); +const pulseSpeed = 16000; // ping all clients every X ms + +class server extends wsServer { + /** + * Create a HackChat server instance. + * + * @param {Object} core Reference to the global core object + */ + constructor (core) { + super({ port: core.config.websocketPort }); + + this._core = core; + this._police = new Police(); + this._cmdBlacklist = {}; + this._heartBeat = setInterval(((data) => { + this.beatHeart(); + }).bind(this), pulseSpeed); + + this.on('error', (err) => { + this.handleError('server', err); + }); + + this.on('connection', (socket, request) => { + this.newConnection(socket, request); + }); + } + + /** + * Send empty `ping` frame to each client + * + */ + beatHeart () { + let targetSockets = this.findSockets({}); + + if (targetSockets.length === 0) { + return; + } + + for (let i = 0, l = targetSockets.length; i < l; i++) { + try { + if (targetSockets[i].readyState === socketReady) { + targetSockets[i].ping(); + } + } catch (e) { } + } + } + + /** + * Bind listeners for the new socket created on connection to this class + * + * @param {Object} socket New socket object + * @param {Object} request Initial headers of the new connection + */ + newConnection (socket, request) { + socket.remoteAddress = request.headers['x-forwarded-for'] || request.connection.remoteAddress; + + socket.on('message', ((data) => { + this.handleData(socket, data); + }).bind(this)); + + socket.on('close', (() => { + this.handleClose(socket); + }).bind(this)); + + socket.on('error', ((err) => { + this.handleError(socket, err); + }).bind(this)); + } + + /** + * Handle incoming messages from clients, parse and check command, then hand-off + * + * @param {Object} socket Calling socket object + * @param {String} data Message sent from client + */ + handleData (socket, data) { + // Don't penalize yet, but check whether IP is rate-limited + if (this._police.frisk(socket.remoteAddress, 0)) { + this.reply({ cmd: 'warn', text: "Your IP is being rate-limited or blocked." }, socket); + + return; + } + + // Penalize here, but don't do anything about it + this._police.frisk(socket.remoteAddress, 1); + + // ignore ridiculously large packets + if (data.length > 65536) { + return; + } + + // Start sent data verification + var args = null; + try { + args = JSON.parse(data); + } catch (e) { + // Client sent malformed json, gtfo + socket.close(); + } + + if (args === null) { + return; + } + + if (typeof args.cmd === 'undefined' || args.cmd == 'ping') { + return; + } + + if (typeof args.cmd !== 'string') { + return; + } + + if (typeof socket.channel === 'undefined' && args.cmd !== 'join') { + return; + } + + if (typeof this._cmdBlacklist[args.cmd] === 'function') { + return; + } + + // Finished verification, pass to command modules + this._core.commands.handleCommand(this, socket, args); + } + + /** + * Handle socket close from clients + * + * @param {Object} socket Closing socket object + */ + handleClose (socket) { + this._core.commands.handleCommand(this, socket, { cmd: 'disconnect' }); + } + + /** + * "Handle" server or socket errors + * + * @param {Object||String} socket Calling socket object, or 'server' + * @param {String} err The sad stuff + */ + handleError (socket, err) { + console.log(`Server error: ${err}`); + } + + /** + * Send data payload to specific socket/client + * + * @param {Object} data Object to convert to json for transmission + * @param {Object} socket The target client + */ + send (data, socket) { + // Add timestamp to command + data.time = Date.now(); + + try { + if (socket.readyState === socketReady) { + socket.send(JSON.stringify(data)); + } + } catch (e) { } + } + + /** + * Overload function for `this.send()` + * + * @param {Object} data Object to convert to json for transmission + * @param {Object} socket The target client + */ + reply (data, socket) { + this.send(data, socket); + } + + /** + * Finds sockets/clients that meet the filter requirements, then passes the data to them + * + * @param {Object} data Object to convert to json for transmission + * @param {Object} filter see `this.findSockets()` + */ + broadcast (data, filter) { + let targetSockets = this.findSockets(filter); + + if (targetSockets.length === 0) { + return false; + } + + for (let i = 0, l = targetSockets.length; i < l; i++) { + this.send(data, targetSockets[i]); + } + + return true; + } + + /** + * Finds sockets/clients that meet the filter requirements, returns result as array + * + * @param {Object} data Object to convert to json for transmission + * @param {Object} filter The socket must of equal or greater attribs matching `filter` + * = {} // matches all + * = { channel: 'programming' } // matches any socket where (`socket.channel` === 'programming') + * = { channel: 'programming', nick: 'Marzavec' } // matches any socket where (`socket.channel` === 'programming' && `socket.nick` === 'Marzavec') + */ + findSockets (filter) { + let filterAttribs = Object.keys(filter); + let reqCount = filterAttribs.length; + let curMatch; + let matches = []; + for ( let socket of this.clients ) { + curMatch = 0; + + for (let i = 0; i < reqCount; i++) { + if (typeof socket[filterAttribs[i]] !== 'undefined') { + switch(typeof filter[filterAttribs[i]]) { + case 'object': { + if (Array.isArray(filter[filterAttribs[i]])) { + if (filter[filterAttribs[i]].indexOf(socket[filterAttribs[i]]) !== -1) { + curMatch++; + } + } else { + if (socket[filterAttribs[i]] === filter[filterAttribs[i]]) { + curMatch++; + } + } + break; + } + + case 'function': { + if (filter[filterAttribs[i]](socket[filterAttribs[i]])) { + curMatch++; + } + break; + } + + default: { + if (socket[filterAttribs[i]] === filter[filterAttribs[i]]) { + curMatch++; + } + break; + } + } + } + } + + if (curMatch === reqCount) { + matches.push(socket); + } + } + + return matches; + } + + /** + * Encrypts target socket's remote address using non-static variable length salt + * encodes and shortens the output, returns that value + * + * @param {Object||String} target Either the target socket or ip as string + */ + getSocketHash (target) { + let sha = crypto.createHash('sha256'); + + if (typeof target === 'string') { + sha.update(target + ipSalt); + } else { + sha.update(target.remoteAddress + ipSalt); + } + + return sha.digest('base64').substr(0, 15); + } +} + +module.exports = server; -- cgit v1.2.1