Changeset 8636

Timestamp:

04/12/2019 11:21:15 AM (7 years ago)

Author:

vedjain

Message:

WC Camptix: Throttle ticket purchase request to prevent junk tickets.

This patch adds throttling support to ticket purchase request to 39 per hour. This is not intended to prevent any kind of sophiscated attacks, but is just there so that we don't have to delete lots of failed tickets when a security runs any automated tests on us.

Form_Spam_Prevention provides honeypot feature as well, which we are intentionally not using here because we want don't want to be aggressive in blocking ticket purchase form.

File:

• sites/trunk/wordcamp.org/public_html/wp-content/mu-plugins/camptix-tweaks/camptix-tweaks.php (modified) (4 diffs)

sites/trunk/wordcamp.org/public_html/wp-content/mu-plugins/camptix-tweaks/camptix-tweaks.php

@@ -4 +4 @@
 use CampTix_Plugin;
 use WP_Post;
+use WordCamp\Utilities\Form_Spam_Prevention;
 
 defined( 'WPINC' ) or die();
@@ -15 +16 @@
 add_action( 'wp_print_styles',                               __NAMESPACE__ . '\print_login_message_styles'          );
 add_filter( 'camptix_require_login_please_login_message',    __NAMESPACE__ . '\override_please_login_message'       );
+add_action( 'camptix_checkout_start',                        __NAMESPACE__ . '\check_ip_throttling'                 );
 add_action( 'camptix_form_start_errors',                     __NAMESPACE__ . '\add_form_start_error_messages'       );
+add_filter( 'camptix_form_attendee_info_errors',             __NAMESPACE__ . '\show_throttle_notice'                );
 add_action( 'transition_post_status',                        __NAMESPACE__ . '\ticket_sales_opened',          10, 3 );
 add_action( 'camptix_payment_result',                        __NAMESPACE__ . '\track_payment_results',        10, 3 );
@@ -43 +46 @@
 add_filter( 'camptix_stripe_checkout_image_url',             __NAMESPACE__ . '\stripe_default_checkout_image_url'   );
 
+// Prefix for Form_Spam_Prevention class.
+define( 'WC_CAMPTIX_FSP_PREFIX', 'wc-camptix-fsp-prefix' );
 
 /**
@@ -921 +926 @@
 
 /**
+ * Show error message if IP Address has been throttled by `Form_Spam_Prevention`.
+ * We are not using honeypot feature provided by Form_Spam_Prevention because we do not want to be aggressive with blocking requests in ticket purchase page. We only block when we are extremely sure that its a bad actor, and even if it is a bot, we let it go if its not annoying.
+ */
+function show_throttle_notice() {
+    global $camptix;
+
+    $fsp = new Form_Spam_Prevention( [ 'prefix' => WC_CAMPTIX_FSP_PREFIX ] );
+
+    if ( $fsp->is_ip_address_throttled() ) {
+        $camptix->error( __( 'You are purchasing tickets too fast. Your IP address has been throttled for an hour since last ticket purchase.', 'wordcamporg' ) );
+
+        // With some payment methods, payment could have been  deducted in the frontend before making a checkout request.
+        // Therefore its important that we disable payment methods tab if we are going to block the checkout request.
+        add_filter( 'tix_render_payment_options', '__return_empty_string', 20 );
+    }
+
+}
+
+/**
+ * Checks if IP is throttled. If not then increments the score by 0.1. This does not handle any sophisticated attack, but is just there so that we do not have to delete junk tickets if a security researcher runs a test on site.
+ *
+ * Maximum score threshold in Form_Spam_Prevention is 4, so using 0.1 implies an IP address will be able to make 39 purchase request before getting throttled.
+ */
+function check_ip_throttling() {
+    global $camptix;
+
+    $fsp = new Form_Spam_Prevention( [ 'prefix' => WC_CAMPTIX_FSP_PREFIX ] );
+
+    if ( $fsp->is_ip_address_throttled() ) {
+        $camptix->error_flag( 'ip_address_throttled' );
+    } else {
+        $fsp->add_score_to_ip_address( [ 0.1 ] );
+    }
+}
+
+/**
  * Modify the list of personal data eraser callbacks.
  *