Revert "Remove server rate limit code" (#55020)

rachmari · web-flow · commit c72141a48308 · 2025-03-26T22:13:46.000Z
diff --git a/src/shielding/lib/fastly-ips.ts b/src/shielding/lib/fastly-ips.ts
@@ -0,0 +1,81 @@
+// Logic to get and store the current list of public Fastly IPs from the Fastly API: https://www.fastly.com/documentation/reference/api/utils/public-ip-list/
+
+// Default returned from ➜ curl "https://api.fastly.com/public-ip-list"
+export const DEFAULT_FASTLY_IPS: string[] = [
+  '23.235.32.0/20',
+  '43.249.72.0/22',
+  '103.244.50.0/24',
+  '103.245.222.0/23',
+  '103.245.224.0/24',
+  '104.156.80.0/20',
+  '140.248.64.0/18',
+  '140.248.128.0/17',
+  '146.75.0.0/17',
+  '151.101.0.0/16',
+  '157.52.64.0/18',
+  '167.82.0.0/17',
+  '167.82.128.0/20',
+  '167.82.160.0/20',
+  '167.82.224.0/20',
+  '172.111.64.0/18',
+  '185.31.16.0/22',
+  '199.27.72.0/21',
+  '199.232.0.0/16',
+]
+
+let ipCache: string[] = []
+
+export async function getPublicFastlyIPs(): Promise<string[]> {
+  // Don't fetch the list in dev & testing, just use the defaults
+  if (process.env.NODE_ENV !== 'production') {
+    ipCache = DEFAULT_FASTLY_IPS
+  }
+
+  if (ipCache.length) {
+    return ipCache
+  }
+
+  const endpoint = 'https://api.fastly.com/public-ip-list'
+  let ips: string[] = []
+  let attempt = 0
+
+  while (attempt < 3) {
+    try {
+      const response = await fetch(endpoint)
+      if (!response.ok) {
+        throw new Error(`Failed to fetch: ${response.status}`)
+      }
+      const data = await response.json()
+      if (data && Array.isArray(data.addresses)) {
+        ips = data.addresses
+        break
+      } else {
+        throw new Error('Invalid response structure')
+      }
+    } catch (error: any) {
+      console.error(
+        `Failed to fetch Fastly IPs: ${error.message}. Retrying ${3 - attempt} more times`,
+      )
+      attempt++
+      if (attempt >= 3) {
+        ips = DEFAULT_FASTLY_IPS
+      }
+    }
+  }
+
+  ipCache = ips
+  return ips
+}
+
+// The IPs we check in the rate-limiter are in the form `X.X.X.X`
+// But the IPs returned from the Fastly API are in the form `X.X.X.X/Y`
+// For an IP in the rate-limiter, we want `X.X.X.*` to match `X.X.X.X/Y`
+export async function isFastlyIP(ip: string): Promise<boolean> {
+  // If IPs aren't initialized, fetch them
+  if (!ipCache.length) {
+    await getPublicFastlyIPs()
+  }
+  const parts = ip.split('.')
+  const prefix = parts.slice(0, 3).join('.')
+  return ipCache.some((fastlyIP) => fastlyIP.startsWith(prefix))
+}
diff --git a/src/shielding/middleware/index.ts b/src/shielding/middleware/index.ts
@@ -6,9 +6,11 @@ import handleOldNextDataPaths from './handle-old-next-data-paths'
 import handleInvalidQuerystringValues from './handle-invalid-query-string-values'
 import handleInvalidNextPaths from './handle-invalid-nextjs-paths'
 import handleInvalidHeaders from './handle-invalid-headers'
+import { createRateLimiter } from './rate-limit'
 
 const router = express.Router()
 
+router.use(createRateLimiter())
 router.use(handleInvalidQuerystrings)
 router.use(handleInvalidPaths)
 router.use(handleOldNextDataPaths)
diff --git a/src/shielding/middleware/rate-limit.ts b/src/shielding/middleware/rate-limit.ts
@@ -0,0 +1,168 @@
+import type { Request } from 'express'
+
+import rateLimit from 'express-rate-limit'
+
+import statsd from '@/observability/lib/statsd.js'
+import { noCacheControl } from '@/frame/middleware/cache-control.js'
+import { isFastlyIP } from '@/shielding/lib/fastly-ips'
+
+const EXPIRES_IN_AS_SECONDS = 60
+
+const MAX = process.env.RATE_LIMIT_MAX ? parseInt(process.env.RATE_LIMIT_MAX, 10) : 50
+if (isNaN(MAX)) {
+  throw new Error(`process.env.RATE_LIMIT_MAX (${process.env.RATE_LIMIT_MAX}) not a number`)
+}
+
+// We apply this rate limiter to _all_ routes in src/shielding/index.ts except for `/api/*` routes
+export function createRateLimiter(max = MAX, isAPILimiter = false) {
+  return rateLimit({
+    // 1 minute
+    windowMs: EXPIRES_IN_AS_SECONDS * 1000,
+    // limit each IP to X requests per windowMs
+    // We currently have about 12 instances in production. That's routed
+    // in Moda to spread the requests to each healthy instance.
+    // So, the true rate limit, per `windowMs`, is this number multiplied
+    // by the current number of instances.
+    max: max,
+
+    // Return rate limit info in the `RateLimit-*` headers
+    standardHeaders: true,
+    // Disable the `X-RateLimit-*` headers
+    legacyHeaders: false,
+
+    keyGenerator: (req) => {
+      return getClientIPFromReq(req)
+    },
+
+    skip: async (req) => {
+      const ip = getClientIPFromReq(req)
+      if (await isFastlyIP(ip)) {
+        return true
+      }
+      // IP is empty when we are in a non-production (not behind Fastly) environment
+      // In these environments, we don't want to rate limit (including tests)
+      // However, if you want to test rate limiting locally, you can manually set
+      // the `fastly-client-ip` header to your IP address to bypass this check set the
+      if (ip === '') {
+        return true
+      }
+
+      // We handle /api/* routes with a separate rate limiter
+      // When it is a separate rate limiter, isAPILimiter will be passed as true
+      if (req.path.startsWith('/api/') || isAPILimiter) {
+        return false
+      }
+
+      // If the request is not suspicious, don't rate limit it
+      if (!isSuspiciousRequest(req)) {
+        return true
+      }
+
+      // At this point, a request is suspicious. We want to track how many are in datadog
+      const tags = [`url:${req.url}`, `ip:${ip}`, `path:${req.path}`, `qs:${req.url.split('?')[1]}`]
+      statsd.increment('middleware.rate_limit_dont_skip', 1, tags)
+
+      return false
+    },
+
+    handler: (req, res, next, options) => {
+      const tags = [`url:${req.url}`, `ip:${req.ip}`, `path:${req.path}`]
+      statsd.increment('middleware.rate_limit', 1, tags)
+      noCacheControl(res)
+      res.status(options.statusCode).send(options.message)
+    },
+
+    // Temporary so that we can see what is coming from Fastly v app level
+    statusCode: 418, // "i'm a teapot"
+  })
+}
+
+function getClientIPFromReq(req: Request) {
+  // Moda forwards the client's IP using the `fastly-client-ip` header.
+  // However, in non-fastly environments, this header is not present.
+  // Staging is behind Okta, so we don't need to rate limit there.
+  let ip = req?.headers?.['fastly-client-ip'] || ''
+  // This is to satisfy TypeScript since a header could be a string array, but fastly-client-ip is not
+  if (typeof ip !== 'string') {
+    ip = ''
+  }
+  return ip
+}
+
+const RECOGNIZED_KEYS_BY_PREFIX = {
+  '/_next/data/': ['versionId', 'productId', 'restPage', 'apiVersion', 'category', 'subcategory'],
+  '/api/search': ['query', 'language', 'version', 'page', 'product', 'autocomplete', 'limit'],
+  '/api/anchor-redirect': ['hash', 'path'],
+  '/api/webhooks': ['category', 'version'],
+  '/api/pageinfo': ['pathname'],
+}
+
+const RECOGNIZED_KEYS = {
+  search: ['query', 'page'],
+}
+
+const MISC_KEYS = [
+  // Learning track pages
+  'learn',
+  'learnProduct',
+
+  // Platform picker
+  'platform',
+
+  // Tool picker
+  'tool',
+
+  // When apiVersion isn't the only one. E.g. ?apiVersion=XXX&tool=vscode
+  'apiVersion',
+
+  // Lowercase for rest pages
+  'apiversion',
+
+  // We use the query param "feature" to enable experiments in the browser
+  'feature',
+]
+
+/**
+ * Return true if the request looks like a DoS request. I.e. suspicious.
+ *
+ * We've seen lots of requests slip past the CDN and its edge rate limiter
+ * that clearly are not realistic URLs that you'd get in a browser.
+ * For example `?action=octrh&api=h9vcd&immagine=jzs3c&lang=xb0kp&m=rrmek`
+ * There are certain URLs that have query strings that are valid, but
+ * have one more query string keys. In particular the `/api/..` endpoints.
+ *
+ * Remember, just because this function might return true, it doesn't mean
+ * the request will be rate limited. It has to be both suspicious AND
+ * have lots and lots of requests.
+ *
+ * @param {Request} req
+ * @returns boolean
+ */
+function isSuspiciousRequest(req: Request) {
+  const keys = Object.keys(req.query)
+
+  // Since this function can only speculate by query strings (at the
+  // moment), if the URL doesn't have any query strings it's not suspicious.
+  if (!keys.length) {
+    return false
+  }
+
+  // E.g. `/en/rest/actions?apiVersion=YYYY-MM-DD`
+  if (keys.length === 1 && keys[0] === 'apiVersion') return false
+
+  // Now check what query string keys are *left* based on a list of
+  // recognized keys per different prefixes.
+  for (const [prefix, recognizedKeys] of Object.entries(RECOGNIZED_KEYS_BY_PREFIX)) {
+    if (req.path.startsWith(prefix)) {
+      return keys.filter((key) => !recognizedKeys.includes(key)).length > 0
+    }
+  }
+
+  // E.g. `/fr/search?query=foo
+  if (req.path.split('/')[2] === 'search') {
+    return keys.filter((key) => !RECOGNIZED_KEYS.search.includes(key)).length > 0
+  }
+
+  const unrecognizedKeys = keys.filter((key) => !MISC_KEYS.includes(key))
+  return unrecognizedKeys.length > 0
+}
diff --git a/src/shielding/tests/shielding.ts b/src/shielding/tests/shielding.ts
@@ -2,6 +2,7 @@ import { describe, expect, test } from 'vitest'
 
 import { SURROGATE_ENUMS } from '@/frame/middleware/set-fastly-surrogate-key.js'
 import { get } from '@/tests/helpers/e2etest.js'
+import { DEFAULT_FASTLY_IPS } from '@/shielding/lib/fastly-ips'
 
 describe('honeypotting', () => {
   test('any GET with survey-vote and survey-token query strings is 400', async () => {
@@ -94,6 +95,73 @@ describe('index.md and .md suffixes', () => {
   })
 })
 
+describe('rate limiting', () => {
+  // We can't actually trigger a full rate limit because
+  // then all other tests will all fail. And we can't rely on this
+  // test always being run last.
+
+  test('only happens if you have junk query strings', async () => {
+    const res = await get('/robots.txt?foo=bar', {
+      headers: {
+        // Rate limiting only happens in production, so we need to
+        // make the environment look like production.
+        'fastly-client-ip': 'abc',
+      },
+    })
+    expect(res.statusCode).toBe(200)
+    const limit = parseInt(res.headers['ratelimit-limit'])
+    const remaining = parseInt(res.headers['ratelimit-remaining'])
+    expect(limit).toBeGreaterThan(0)
+    expect(remaining).toBeLessThan(limit)
+
+    // A second request
+    {
+      const res = await get('/robots.txt?foo=buzz', {
+        headers: {
+          'fastly-client-ip': 'abc',
+        },
+      })
+      expect(res.statusCode).toBe(200)
+      const newLimit = parseInt(res.headers['ratelimit-limit'])
+      const newRemaining = parseInt(res.headers['ratelimit-remaining'])
+      expect(newLimit).toBe(limit)
+      // Can't rely on `newRemaining == remaining - 1` because of
+      // concurrency of test-running.
+      expect(newRemaining).toBeLessThan(remaining)
+    }
+  })
+
+  test('nothing happens if no unrecognized query string', async () => {
+    const res = await get('/robots.txt')
+    expect(res.statusCode).toBe(200)
+    expect(res.headers['ratelimit-limit']).toBeUndefined()
+    expect(res.headers['ratelimit-remaining']).toBeUndefined()
+  })
+
+  test('Fastly IPs are not rate limited', async () => {
+    // Fastly IPs are in the form `X.X.X.X/Y`
+    // Rate limited IPs are in the form `X.X.X.X`
+    // Where the last X could be any 2-3 digit number
+    const mockFastlyIP =
+      DEFAULT_FASTLY_IPS[0].split('.').slice(0, 3).join('.') + `.${Math.floor(Math.random() * 100)}`
+    // Cookies only allows 1 request per minute
+    const res1 = await get('/api/cookies', {
+      headers: {
+        'fastly-client-ip': mockFastlyIP,
+      },
+    })
+    expect(res1.statusCode).toBe(200)
+
+    // A second request shouldn't be rate limited because it's from a Fastly IP
+    const res2 = await get('/api/cookies', {
+      headers: {
+        'fastly-client-ip': mockFastlyIP,
+      },
+    })
+    expect(res2.statusCode).toBe(200)
+  })
+})
+
 describe('404 pages and their content-type', () => {
   const exampleNonLanguage404plain = ['/_next/image/foo']
   test.each(exampleNonLanguage404plain)(
