Skip to content

fix: add rate limiting to download counter to prevent inflation #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
orlyjamie wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: add rate limiting to download counter to prevent inflation #40

orlyjamie wants to merge 1 commit into from
+35 −2

Conversation

@orlyjamie
Copy link
Contributor

@orlyjamie orlyjamie commented Jan 26, 2026
edited
Loading

Summary

  • Add IP-based rate limiting (5 downloads per skill per IP per hour) to prevent download count inflation
  • Only trust cf-connecting-ip header - x-forwarded-for is trivially spoofable
  • Still serve files to rate-limited users, just don't count inflated downloads

The Vulnerability

The download endpoint at convex/downloads.ts:56 incremented download counts with no rate limiting. An
attacker could inflate any skill's download count by:

  for i in {1..1000}; do                                                                                      
    curl -H "X-Forwarded-For: 1.2.3.$i" \                                                                     
      "https://api.clawdhub.com/download?slug=target-skill" -o /dev/null                                      
  done

Important Note

Download counts are fundamentally gameable as trust metrics because downloads are anonymous. Even with
rate limiting, attackers can use proxies/VPNs/Tor.

Recommendation: De-emphasize downloads in the UI. Stars and installs are better trust signals because they
require authenticated sessions.

Reference: https://x.com/theonejvo/status/2015892980851474595
@orlyjamie
fix: add rate limiting to download counter to prevent inflation
d4d51cb 
Downloads can be trivially inflated by spamming the endpoint with spoofed
X-Forwarded-For headers. This PR adds defense-in-depth measures:

- Rate limit: 5 downloads per skill per IP per hour
- Only trust cf-connecting-ip header (x-forwarded-for is spoofable)
- Still serve the file even if rate limited, just don't count it

NOTE: Download counts are fundamentally ungameable as trust metrics because
they're anonymous. Even with rate limiting, attackers can use proxies/VPNs.
Consider de-emphasizing downloads in the UI in favor of stars and installs
which require authenticated sessions.

Related: httpApiV1.ts:getClientIp() also trusts x-forwarded-for and should
be audited for similar issues.
@vercel
Copy link
Contributor

vercel bot commented Jan 26, 2026

@orlyjamie is attempting to deploy a commit to the Amantus Machina Team on Vercel.

A member of the Team first needs to authorize it.
@orlyjamie
Copy link
Contributor Author

orlyjamie commented Jan 26, 2026

image
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant

@orlyjamie