From 2638ad056b5dd7667f11a9aeca49277e16a97517 Mon Sep 17 00:00:00 2001 From: Roman Date: Thu, 31 Jan 2019 12:32:48 +0700 Subject: [PATCH 1/2] Add note about possible race conditions There is an issue about possible race conditions opened more than 2 years ago https://github.com/AdamPflug/express-brute/issues/46 It should be noticed in readme on the top, so developers are aware of this. --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index a78e960..0159524 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,8 @@ express-brute A brute-force protection middleware for express routes that rate-limits incoming requests, increasing the delay with each request in a fibonacci-like sequence. +Note, it uses get and set methods to count number of requests, so there may be race conditions on concurrent requests. + Installation ------------ via npm: From e5507bdfe5d194ee5314ac2d8db3dd1ffa67e1b8 Mon Sep 17 00:00:00 2001 From: Roman Date: Fri, 22 Feb 2019 11:32:27 +0700 Subject: [PATCH 2/2] Update README.md Clarify the note about race conditions vulnerability --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0159524..2a5733a 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ express-brute A brute-force protection middleware for express routes that rate-limits incoming requests, increasing the delay with each request in a fibonacci-like sequence. -Note, it uses get and set methods to count number of requests, so there may be race conditions on concurrent requests. +Note, it may be vulnerable to slow brute-force attaks. It uses not atomic increments to count number of requests, so there may be race conditions on concurrent requests. Installation ------------