SECURITY: add rate limiting to anon JS error reporting

SECURITY: add rate limiting to anon JS error reporting

This adds a 1 minute rate limit to all JS error reporting per IP. Previously we would only use the global rate limit.

This also introduces DISCOURSE_ENABLE_JS_ERROR_REPORTING, if it is set to false then no JS error reporting will be allowed on the site.

diff --git a/Gemfile.lock b/Gemfile.lock
index 228da02..4732569 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -169,7 +169,7 @@ GEM
     logstash-event (1.2.02)
     logstash-logger (0.26.1)
       logstash-event (~> 1.2)
-    logster (2.3.1)
+    logster (2.3.2)
     loofah (2.2.3)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
diff --git a/app/assets/javascripts/preload-application-data.js.no-module.es6 b/app/assets/javascripts/preload-application-data.js.no-module.es6
index fd22628..f78ea11 100644
--- a/app/assets/javascripts/preload-application-data.js.no-module.es6
+++ b/app/assets/javascripts/preload-application-data.js.no-module.es6
@@ -12,6 +12,9 @@
 
   var setupData = document.getElementById("data-discourse-setup").dataset;
 
+  window.Logster = window.Logster || {};
+  window.Logster.enabled = setupData.enableJsErrorReporting === "true";
+
   Discourse.CDN = setupData.cdn;
   Discourse.BaseUrl = setupData.baseUrl;
   Discourse.BaseUri = setupData.baseUri;
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 9b5337e..a440e72 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -475,6 +475,7 @@ module ApplicationHelper
       disable_custom_css: loading_admin?,
       highlight_js_path: HighlightJs.path,
       svg_sprite_path: SvgSprite.path(theme_ids),
+      enable_js_error_reporting: GlobalSetting.enable_js_error_reporting,
     }
 
     if Rails.env.development?
diff --git a/config/discourse_defaults.conf b/config/discourse_defaults.conf
index dd4587a..c3fc12d 100644
--- a/config/discourse_defaults.conf
+++ b/config/discourse_defaults.conf
@@ -256,3 +256,6 @@ maxmind_backup_path =
 # X-Queue-Time: 1.01
 enable_performance_http_headers = false
 
+# gather JavaScript errors from clients (rate limited to 1 error per IP per minute)
+enable_js_error_reporting = true
+
diff --git a/config/initializers/100-logster.rb b/config/initializers/100-logster.rb
index 06e6ba6..9987369 100644
--- a/config/initializers/100-logster.rb
+++ b/config/initializers/100-logster.rb
@@ -104,6 +104,7 @@ Logster.config.subdirectory = "#{GlobalSetting.relative_url_root}/logs"
 
 Logster.config.application_version = Discourse.git_version
 Logster.config.enable_custom_patterns_via_ui = true
+Logster.config.enable_js_error_reporting = GlobalSetting.enable_js_error_reporting
 
 store = Logster.store
 redis = Logster.store.redis

GitHub sha: 8db38de9

3 Likes