From 190ce7cba563ac9df5492af388e889a574d28e84 Mon Sep 17 00:00:00 2001
From: Peter Bhat Harkins <peter@push.cx>
Date: Wed, 20 Jul 2022 08:22:15 -0500
Subject: [PATCH] fix bypass in rate limiting

thanks to whokilleddb for the report
---
 config/initializers/rack_attack.rb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
index e9557830e..b0b2c0592 100644
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -18,8 +18,10 @@
 end
 # at some point they'll proceed to testing credentials
 Rack::Attack.throttle("login", limit: 4, period: 60) do |request|
-  request.ip if request.post? &&
-                (request.path == '/login' || request.path == '/login/set_new_password')
+  request.ip if request.post? && (
+                 request.path.start_with?('/login') ||
+                 request.path.start_with?('/login/set_new_password')
+  )
 end
 
 Rack::Attack.throttle("log4j probe", limit: 1, period: 1.week.to_i) do |request|