Added IP-based rate limiting for Copi (fixes #1877)

copi.owasp.org/RATE_LIMITING_IMPLEMENTATION.md

@@ -0,0 +1,108 @@
+# Rate Limiting Implementation for Player Creation
+
+## Overview
+This implementation addresses GitHub Issue #1877 by adding IP-based rate limiting for player creation, separate from the existing game creation rate limit, to protect against CAPEC 212 (Functionality Misuse) attacks.
+
+## Changes Made
+
+### 1. Rate Limiter Module (`lib/copi/rate_limiter.ex`)
+
+**Added player_creation action:**
+- Updated `check_rate/2` to accept `:player_creation` action
+- Updated `record_action/2` to accept `:player_creation` action
+- Added player creation configuration with default limits:
+  - Maximum players per IP: 20
+  - Time window: 3600 seconds (1 hour)
+
+**Configuration:**
+```elixir
+player_creation: %{
+  max_requests: get_env(:max_players_per_ip, 20),
+  window_seconds: get_env(:player_creation_window_seconds, 3600)
+}
+```
+
+### 2. Player Form Component (`lib/copi_web/live/player_live/form_component.ex`)
+
+**Added rate limiting to player creation:**
+- Added `get_connect_ip/1` helper function to extract IP address from socket
+- Modified `save_player/3` for `:new` action to:
+  1. Get the connecting IP address
+  2. Check rate limit before creating player
+  3. Only create player if rate limit is not exceeded
+  4. Record the action after successful creation
+  5. Display user-friendly error message if rate limited
+
+**Error message shown to users:**
+```
+"Rate limit exceeded. Too many players created from your IP address. 
+Please try again in X seconds. This limit helps ensure service 
+availability for all users."
+```
+
+### 3. Tests (`test/copi/rate_limiter_test.exs`)
+
+**Added comprehensive test coverage:**
+- Test that player creation is allowed under the limit
+- Test that player creation is blocked when limit is exceeded
+- Test that player creation limit is separate from game creation limit
+- Updated configuration test to verify player_creation config exists
+
+## Key Features
+
+### Separate Limits
+The player creation rate limit is maintained **separately** from the game creation rate limit. This means:
+- An IP that has exhausted its game creation quota can still create players
+- An IP that has exhausted its player creation quota can still create games
+- Each limit is tracked independently in the GenServer state
+
+### Configurable Limits
+The limits can be configured via application environment:
+```elixir
+config :copi, Copi.RateLimiter,
+  max_players_per_ip: 20,
+  player_creation_window_seconds: 3600
+```
+
+### User-Friendly Error Handling
+When rate limited, users receive:
+- Clear explanation of why they were blocked
+- Time until they can try again (retry_after in seconds)
+- Explanation that this protects service availability
+
+## Security Benefits
+
+1. **CAPEC 212 Mitigation**: Prevents functionality misuse by limiting the rate of player creation from a single IP
+2. **DoS Protection**: Helps maintain service availability under attack
+3. **Resource Conservation**: Prevents database and system resource exhaustion
+4. **Granular Control**: Separate limits allow fine-tuned protection for different actions
+
+## Default Limits Summary
+
+| Action | Max Requests | Time Window |
+|--------|--------------|-------------|
+| Game Creation | 10 | 1 hour |
+| Player Creation | 20 | 1 hour |
+| Connection | 50 | 5 minutes |
+
+## Testing
+
+Run the test suite:
+```bash
+mix test test/copi/rate_limiter_test.exs
+```
+
+All tests should pass, including the new player creation rate limiting tests.
+
+## Future Enhancements
+
+As mentioned in the issue, if this is still insufficient, the next step would be:
+- Implement authentication
+- Associate rate limits with user accounts in addition to IP addresses
+- Track browser fingerprints along with IP addresses
+
+---
+
+**Issue Reference:** OWASP/cornucopia#1877  
+**Related Security Control:** CAPEC-212 (Functionality Misuse)  
+**Implemented by:** @immortal71

copi.owasp.org/SECURITY.md

@@ -0,0 +1,203 @@
+# Security Implementation for Copi
+
+This document describes the security measures implemented in Copi to protect against abuse and ensure service availability.
+
+## Overview
+
+Copi has implemented IP-based rate limiting to protect against **CAPEC 212 (Functionality Misuse)** attacks. These protections help ensure that the service remains available for all legitimate users by preventing a single source from overwhelming the system.
+
+## Implemented Protections
+
+### 1. Game Creation Rate Limiting
+
+**Purpose**: Prevents a single IP address from creating an excessive number of games, which could lead to database exhaustion or denial of service.
+
+**Default Configuration**:
+- Maximum games per IP: 10
+- Time window: 3600 seconds (1 hour)
+
+**Behavior**:
+- Tracks game creation attempts by IP address
+- When the limit is exceeded, users receive a clear error message
+- The limit resets after the time window expires
+- Different IP addresses have independent limits
+
+**Configuration**:
+```bash
+export MAX_GAMES_PER_IP=10
+export GAME_CREATION_WINDOW_SECONDS=3600
+```
+
+### 2. WebSocket Connection Rate Limiting
+
+**Purpose**: Prevents a single IP address from opening excessive WebSocket connections, which could exhaust server resources.
+
+**Default Configuration**:
+- Maximum connections per IP: 50
+- Time window: 300 seconds (5 minutes)
+
+**Behavior**:
+- Tracks connection attempts by IP address
+- When the limit is exceeded, connections are rejected with an error message
+- The limit resets after the time window expires
+- Does not affect existing active connections
+
+**Configuration**:
+```bash
+export MAX_CONNECTIONS_PER_IP=50
+export CONNECTION_WINDOW_SECONDS=300
+```
+
+## Technical Implementation
+
+### Architecture
+
+The rate limiting system consists of several components:
+
+1. **Copi.RateLimiter** (`lib/copi/rate_limiter.ex`)
+   - GenServer that maintains rate limit state
+   - Tracks requests per IP address and action type
+   - Automatically cleans up expired entries every 5 minutes
+   - Provides a simple API for checking and recording actions
+
+2. **CopiWeb.Plugs.RateLimiter** (`lib/copi_web/plugs/rate_limiter.ex`)
+   - Plug for HTTP request rate limiting
+   - Extracts IP addresses from connections
+   - Handles X-Forwarded-For headers for reverse proxies
+   - Returns proper HTTP 429 status codes when limits are exceeded
+
+3. **LiveView Integration**
+   - Game creation rate limiting in `CopiWeb.GameLive.CreateGameForm`
+   - Connection rate limiting in `CopiWeb.GameLive.Index`
+   - Provides user-friendly error messages
+
+### IP Address Handling
+
+The system correctly handles:
+- IPv4 addresses (e.g., 192.168.1.1)
+- IPv6 addresses (e.g., 2001:db8::1)
+- X-Forwarded-For headers (for reverse proxy deployments)
+- Multiple IP addresses in X-Forwarded-For (uses the first one)
+
+### Rate Limit Response Headers
+
+When rate limiting is active, the following headers are included in responses:
+
+- `X-RateLimit-Remaining`: Number of requests remaining in the current window
+- `Retry-After`: Seconds until the rate limit resets (only included when rate limited)
+
+### Error Messages
+
+Users who exceed rate limits receive clear, informative error messages:
+
+```
+Rate limit exceeded. Too many games created from your IP address.
+Please try again in 3600 seconds.
+This limit helps ensure service availability for all users.
+```
+
+## Deployment Considerations
+
+### Reverse Proxy Configuration
+
+If deploying behind a reverse proxy (nginx, HAProxy, Cloudflare, etc.), ensure the real client IP is passed through:
+
+**Nginx**:
+```nginx
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+```
+
+**Apache**:
+```apache
+RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
+```
+
+**Cloudflare**:
+Cloudflare automatically sets the CF-Connecting-IP header. The X-Forwarded-For header should also be present.
+
+### Monitoring
+
+Monitor the following metrics to detect abuse or adjust rate limits:
+
+- Rate limit rejections (logged as warnings)
+- Rate limit state size (number of tracked IPs)
+- 429 HTTP responses
+- Flash messages about rate limiting
+
+### Adjusting Rate Limits
+
+Rate limits can be adjusted based on your deployment needs:
+
+**For Development/Testing**:
+```bash
+export MAX_GAMES_PER_IP=100
+export MAX_CONNECTIONS_PER_IP=200
+```
+
+**For High-Traffic Production**:
+```bash
+export MAX_GAMES_PER_IP=5
+export GAME_CREATION_WINDOW_SECONDS=7200  # 2 hours
+export MAX_CONNECTIONS_PER_IP=30
+export CONNECTION_WINDOW_SECONDS=600  # 10 minutes
+```
+
+**For Low-Traffic/Internal Use**:
+```bash
+export MAX_GAMES_PER_IP=50
+export MAX_CONNECTIONS_PER_IP=100
+```
+
+## Testing
+
+The implementation includes comprehensive tests:
+
+- **Unit tests** for the RateLimiter GenServer (`test/copi/rate_limiter_test.exs`)
+- **Integration tests** for the RateLimiter Plug (`test/copi_web/plugs/rate_limiter_test.exs`)
+
+Run tests:
+```bash
+mix test
+```
+
+Run specific rate limiter tests:
+```bash
+mix test test/copi/rate_limiter_test.exs
+mix test test/copi_web/plugs/rate_limiter_test.exs
+```
+
+## Future Enhancements
+
+Potential future security enhancements (not currently implemented):
+
+1. **Authentication Integration**
+   - Associate rate limits with authenticated users
+   - Different limits for authenticated vs. anonymous users
+   - Per-user rate limiting instead of just per-IP
+
+2. **Geographic Rate Limiting**
+   - Different limits based on geographic location
+   - Blocking or stricter limits for high-risk regions
+
+3. **Adaptive Rate Limiting**
+   - Automatically adjust limits based on system load
+   - Stricter limits during high traffic periods
+
+4. **CAPTCHA Integration**
+   - Require CAPTCHA after repeated rate limit violations
+   - Optional CAPTCHA for game creation
+
+5. **Rate Limit Dashboard**
+   - Admin interface to view current rate limit state
+   - Ability to manually block/unblock IPs
+   - Real-time monitoring of rate limit violations
+
+## Reporting Security Issues
+
+If you discover a security vulnerability in Copi, please report it to the OWASP Cornucopia team through the [GitHub Security Advisories](https://github.com/OWASP/cornucopia/security/advisories) page.
+
+## References
+
+- [CAPEC-212: Functionality Misuse](https://capec.mitre.org/data/definitions/212.html)
+- [OWASP API Security Top 10 - API4:2023 Unrestricted Resource Consumption](https://owasp.org/API-Security/editions/2023/en/0xa4-unrestricted-resource-consumption/)
+- [Phoenix Framework Security](https://hexdocs.pm/phoenix/security.html)

copi.owasp.org/config/config.exs

@@ -27,6 +27,17 @@ config :copi, CopiWeb.Endpoint,
 
 config :copi, env: Mix.env()
 
+# Configure rate limiting to prevent abuse (CAPEC 212 - Functionality Misuse)
+config :copi, Copi.RateLimiter,
+  # Maximum number of games that can be created from a single IP in the time window
+  max_games_per_ip: System.get_env("MAX_GAMES_PER_IP", "10") |> String.to_integer(),
+  # Time window in seconds for game creation rate limiting (default: 1 hour)
+  game_creation_window_seconds: System.get_env("GAME_CREATION_WINDOW_SECONDS", "3600") |> String.to_integer(),
+  # Maximum number of WebSocket connections from a single IP in the time window
+  max_connections_per_ip: System.get_env("MAX_CONNECTIONS_PER_IP", "50") |> String.to_integer(),
+  # Time window in seconds for connection rate limiting (default: 5 minutes)
+  connection_window_seconds: System.get_env("CONNECTION_WINDOW_SECONDS", "300") |> String.to_integer()
+
 # Configure tailwind (the version is required)
 config :tailwind,
   version: "3.4.0",

copi.owasp.org/config/test.exs

@@ -7,7 +7,7 @@ import Config
 # Run `mix help test` for more information.
 config :copi, Copi.Repo,
   username: "postgres",
-  password: System.get_env("POSTGRES_TEST_PWD"),
+  password: System.get_env("POSTGRES_TEST_PWD") || "postgres",
   database: "copi_test#{System.get_env("MIX_TEST_PARTITION")}",
   hostname: "localhost",
   pool: Ecto.Adapters.SQL.Sandbox
@@ -18,5 +18,11 @@ config :copi, CopiWeb.Endpoint,
   http: [port: 4002],
   server: false
 
+# Configure rate limiter with very high limits for testing to prevent blocking test execution
+config :copi, Copi.RateLimiter,
+  max_games_per_ip: 100_000,
+  max_players_per_ip: 100_000,
+  max_connections_per_ip: 100_000
+
 # Print only warnings and errors during test
 config :logger, level: :warning

copi.owasp.org/lib/copi/application.ex

@@ -15,6 +15,8 @@ defmodule Copi.Application do
       {Phoenix.PubSub, name: Copi.PubSub},
       # Start the DNS clustering
       {DNSCluster, query: Application.get_env(:copi, :dns_cluster_query) || :ignore},
+      # Start the Rate Limiter for security
+      Copi.RateLimiter,
       # Start the Endpoint (http/https)
       CopiWeb.Endpoint
       # Start a worker by calling: Copi.Worker.start_link(arg)