Missing: Rate limiting not applied to Livewire component methods #17
Description
Description
While API endpoints have rate limiting configured, Livewire component methods performing sensitive operations do not.
Location
- File: src/View/Modal/Admin/Cache.php (clearCache, clearAll, etc.)
- File: src/View/Modal/Admin/Logs.php (clearLogs)
- File: src/View/Modal/Admin/Servers.php (testConnection, deleteServer)
- File: src/View/Modal/Admin/Database.php (executeQuery)
Issue
The Boot.php configures rate limiters for API endpoints:
- dev-cache-clear: 10/minute
- dev-logs: 30/minute
- dev-routes: 30/minute
However, Livewire components can be invoked directly via websocket/AJAX calls:
- Cache clear methods have no rate limiting
- Log clear has no rate limiting
- Server connection tests have no rate limiting
- Database queries have no rate limiting
A malicious user with Hades access could:
- Spam cache clears causing performance issues
- Flood database with queries
- DoS remote servers with connection tests
Recommendation
- Add rate limiting to Livewire methods using the RateLimiter facade
- Track rate limits per user session
- Consider using Livewire middleware or component traits for rate limiting
- Add cooldown periods after destructive actions
Severity
Medium - Could enable DoS attacks by authenticated users