Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-06 06:48:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 117
fleet/changes
History
Lucas Manuel Rodriguez d67fd73611
New rate limit algorithm for Fleet Desktop endpoints (#33344) 
Resolves #31890

This new approach allows up to 1000 consecutive failing requests per
minute.
If the threshold of 1000 consecutive failures is reached for an IP, then
we ban request (return 429) from such IP for a duration of 1 minute.
(Any successful request for an IP clears the count.)

This supports the scenario where all hosts are behind a NAT (same IP)
AND still provides protection against brute force attacks (attackers can
only probe 1k requests per minute).

This approach was discussed in Slack with @rfairburn:
https://fleetdm.slack.com/archives/C051QJU3D0V/p1755625131298319?thread_ts=1755101701.844249&cid=C051QJU3D0V.

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [X] Added/updated automated tests
- [X] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)

- [X] QA'd all new/changed functionality manually

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- New Features
- Introduced IP-based rate limiting for Fleet Desktop endpoints to
better support many hosts behind a single public IP (NAT). Requests from
abusive IPs may be temporarily blocked, returning 429 Too Many Requests
with a retry-after hint.
- Documentation
- Added README for a new desktop rate-limit tester, describing usage and
expected behavior.
- Tests
- Added integration tests covering desktop endpoint rate limiting and
Redis-backed banning logic.
- Chores
- Added a command-line tool to stress-test desktop endpoints and verify
rate limiting behavior.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-09-26 15:03:50 -03:00
..
31565-fix-fleetd-version-linx Fix reported fleetd version on Software tab for Linux hosts. (#33438) 2025-09-25 12:58:14 -04:00
.keep Issue 1009 calculate diff software (#1305) 2021-07-08 13:57:43 -03:00
1812-aws-rds-iam-auth Feat 1817 add iam auth to mysql and redis (#32488) 2025-09-04 10:08:47 -05:00
4498-return-empty-software 4498 empty software (#31940) 2025-08-19 10:38:53 -04:00
25025-dedup-vuln-count Fleet UI: Fix vulns from being counted multiple times in vuln count (#32044) 2025-08-18 17:09:44 -04:00
25403-update-end-user-migration-preview Replace old end user migration gif with updated video (#32971) 2025-09-16 15:11:05 +03:00
25557-android-profiles Feature branch for Android config profiles (#32976) 2025-09-22 11:29:57 -04:00
25700-linux-encryption-modal-copy Update copy in Linux escrow modal (#32742) 2025-09-11 15:24:32 -05:00
26688-error-on-signed-profiles Error on signed configuration profiles (#33341) 2025-09-25 14:50:48 +03:00
27876-host-details-labels Fix long label trunctaion on the host details page (#33451) 2025-09-25 13:39:26 -07:00
28152-windows-setup-experience-software UI: Windows setup experience > install software (#32934) 2025-09-16 10:12:25 -07:00
28503-validate-manual-agent-install Add new datastore method, validate when setting manual agent install (#32815) 2025-09-18 13:03:51 -04:00
28642-deadlocks-during-gitops-run Refactor ApplyQueries to improve performance (#32394) 2025-09-03 12:54:02 -04:00
28974-add-hydrant-and-request-cert-api Hydrant CA Feature Branch (#31807) 2025-09-04 12:39:41 -04:00
29053-sw-names-on-ingest Software ingestion fixes (#33399) 2025-09-24 17:38:13 -05:00
29650-turn-off-mdm-on-device-token-inactive-refetcher Check for device token inactive error in refetcher and turn off MDM (#33027) 2025-09-18 09:58:31 +03:00
29721-labels-page UI: Labels page (#33079) 2025-09-18 09:38:45 -07:00
29795-deleted-policies-still-showing Refactor failing policies total on Host endpoint (#31906) 2025-08-19 13:39:32 -04:00
29894-fix-deb-auto-install-query Don't pass the default deb auto-install policy if install status is e.g. uninstalled (#32005) 2025-08-18 17:37:06 -05:00
29909-yara-rules-performance Improved performance when modifying config with a large number of yara rules (#32696) 2025-09-08 10:24:22 -05:00
30095-gitops Apply relevant cleanup suggested by CodeRabbit in #32245 for GitOps update work (#32482) 2025-09-03 13:52:25 -05:00
30166-inconsistent-spacing-os-settings-cards-headers fix inconsistent header spacing by using section header (#33095) 2025-09-23 09:55:11 +03:00
30238-add-open-instructions-for-apps-programs Fleet UI: Add self-service opening instructions to apps and programs (#32169) 2025-08-26 11:02:30 -04:00
30242-ui-profile-uploaded-at UI: Show updated_at instead of created_at for profile upload time (#32679) 2025-09-10 10:49:20 -05:00
30403_fix_host_count_discrepancy #30403 Fix fleet installed host count discrepancy (#32455) 2025-09-02 15:05:42 -04:00
30691-fix-ace-editor-cursor Fix ace editor cursor issues on chromeos (#33478) 2025-09-25 12:21:49 -05:00
30779-extend-error-detection-cached-stms Extend error detection for cached statements (#33189) 2025-09-22 13:12:16 -04:00
30849-multipkg-gitops Support providing multiple packages per software package file in GitOps (#32503) 2025-09-05 08:38:00 -05:00
30854-fix-string-concat-in-sql-parser Allow string concat in LIKE op in query editor (#32254) 2025-08-26 14:08:49 -05:00
30888-add-smallstep-ca Add backend support for Smallstep CA (#32872) 2025-09-25 10:03:36 -05:00
30915-apple-profiles Add Read-only Transaction to fetch profiles to install and remove all at once (#32737) 2025-09-10 09:29:04 -04:00
31167-surface-user-scoped-profiles 31167: SUSP api (#32163) 2025-08-26 11:31:06 -04:00
31173-fix-policy-deadlocks Prevent deadlocks by adding FOR UPDATE locks (#32173) 2025-08-22 12:36:03 -05:00
31173-fix-policy-deadlocks-frontend When updating multiple policies in the UI, the policies are now updated in series to reduce server/DB load. (#32212) 2025-08-25 10:02:52 -05:00
31202-allow-special-chars-in-generated-gitops-files Allow emoji in team names (#32491) 2025-09-04 16:12:09 -05:00
31226-batch-script-run-detail-page UI: Batch script run detail page (#32333) 2025-08-29 09:37:05 -06:00
31267-no-team-automations Added Primo migration for failing policies automation. (#32515) 2025-09-04 10:12:27 -05:00
31286-package-upgrade-fix Updated changes file for #31286 per CS request (#32812) 2025-09-10 12:53:08 -05:00
31291-linux-lock-script On lock, drop GDM Ubuntu into text mode to work around blank/unresponsive screen. (#32100) 2025-08-21 13:55:00 -05:00
31297-installer-status-improvements Fleet UI: Surface timestamp VPP device user page, remove vpp acknowledged tooltip (#32732) 2025-09-08 14:14:52 -04:00
31318-sentinelone-pkg Add manual translation for com.sentinelone.SentinelAgent (#32936) 2025-09-12 17:15:58 -04:00
31343-blank-email-on-failed-login-activity Use proper prefix for user_failed_login activity (#32092) 2025-08-20 17:39:57 -04:00
31346-update-pww-policy-table-docs Update pwd_policy table docs (#33181) 2025-09-24 17:32:54 -05:00
31379-ui-issue-with-activity-feed Fixed UI issue in Dashboard page around Software card. (#32105) 2025-08-25 13:52:25 -04:00
31390-fix-certificate-ingest-parser fix certificate parser part 2 (#33152) 2025-09-23 16:12:11 +03:00
31432-live-query-campaigns Add CleanupCompletedCampaignTargets to cleanup old campaign targets. (#32385) 2025-08-28 11:04:05 -05:00
31474-remove-incorrect-cves #31474 MSRC has incorrectly named CVEs. This PR removes them from the generated file. (#31851) 2025-08-21 12:41:53 -04:00
31477-secrets-in-macos-profiles Fix GitOps dry run issue with validating profiles with secrets (#32104) 2025-08-22 09:37:12 -05:00
31536-add-script-host-results-api Add "batch script host results" API (#32174) 2025-08-27 16:39:43 -05:00
31580-duplicate-scripts Fixed error when updating a script to exactly match the contents of another script. (#32438) 2025-08-29 12:38:37 -05:00
31581-output-from-packages-only 31581 Fix packages_only flag to only show items with software_package (#32284) 2025-08-26 21:53:46 -04:00
31584-unenroll-personal-ios-devices UB: Unenroll personal iOS devices backend (#32845) 2025-09-15 09:08:22 +03:00
31601-remove-inaccurate-timestamp Fleet UI: Remove inaccurate updated never timestamp (#32425) 2025-08-29 11:08:04 -04:00
31700-fix-invalid-get-delete-request-bodies Correcting client to omit request body for GET and DELETE requests (#32881) 2025-09-11 16:18:17 -05:00
31721-missing-tar-summary-card Fleet UI: Re-add missing tarballs summary card (#32056) 2025-08-18 17:14:20 -04:00
31736-fleetctl-debug-binary-output Don't flood the terminal with binary output when downloading pkg (#32081) 2025-08-20 12:16:53 -04:00
31752-clicking-active-nav-causes-page-rerender Prevent full-page reloads when clicking some currently selected navbar links (#33500) 2025-09-26 08:51:04 -07:00
31755-disk-encryption-table-spacing Remove extra spacing from under disk encryption table (#32665) 2025-09-08 10:02:29 -04:00
31845-add-new-firefox-icon Replace Firefox icon with one from brand guidelines (#33066) 2025-09-19 14:01:37 +02:00
31850-retry-apple-vpp-api-timeout Bugfix: retry VPP assets API call on Apple timeout, until our own context hits its timeout (#33313) 2025-09-23 10:46:30 -04:00
31869-platform-compatibility-tooltip-delay UI: Add Tooltip show delay across app (#33091) 2025-09-18 09:42:30 -07:00
31876-update-password-validator Update password requirements check when setting up (#32261) 2025-08-26 16:59:05 -05:00
31890-rate-limit-fix New rate limit algorithm for Fleet Desktop endpoints (#33344) 2025-09-26 15:03:50 -03:00
31917-setup-experience-software-retries Added support for retry logic in setup experience software installations. (#32823) 2025-09-16 12:26:14 -05:00
31944-consistent-banner-link-colors Fleet UI: Consistent banner link colors (#32427) 2025-08-29 11:06:59 -04:00
31968-oval-false-positives Add false-positive filtering for OVAL scanning (#33357) 2025-09-25 16:28:27 -04:00
31969-python-rpm-duplicate-package Add RPM to duplicate python packages filter (#33009) 2025-09-18 10:23:21 -04:00
31974-userauthenticate Return 410 Gone to UserAuthenticate (#32354) 2025-09-16 16:04:05 -04:00
31989-firefox-esr-sw_edition-translation Add sw_edition to cpe db generation and cpe translations (#32879) 2025-09-17 11:30:49 -04:00
32014-allow-fleet-host-ids-in-gitops-labels Allow fleet host ID when specifying Gitops manual label hosts (#33078) 2025-09-22 13:54:30 -05:00
32016-make-eula-gitops-path-relative-to-yaml Bugfix: make EULA path in gitops relative to the YAML file (like other settings) (#33070) 2025-09-17 08:25:23 -04:00
32029-reconcile-android-profiles Feature branch for Android config profiles (#32976) 2025-09-22 11:29:57 -04:00
32037-linux-setup-experience UI: Linux setup experience - End user (#32639) 2025-09-05 15:53:01 -07:00
32040-linux-setup-experience-backend Update GET/PUT /api/_version_/fleet/setup_experience/software to match rest-api.md (#32673) 2025-09-05 18:01:00 -03:00
32067-nil-last-opened Change LastOpenedAt logging (#32767) 2025-09-09 13:47:58 -04:00
32103-show-certificates-true-total-count Show certificates actual total count in table (#32972) 2025-09-17 14:05:32 +03:00
32164-block-vpp-installs-on-personal-apple-devices Check enrollment type for mobile apple devices and block personal enrollments (#32844) 2025-09-11 16:02:18 +03:00
32208-fleetctl-preview-logging Stop showing debug logs during fleetctl preview, slight reformat (#33352) 2025-09-23 13:49:05 -04:00
32273-custom-settings-different-spacing Fixed inconsistent subtitle text style in Custom Settings (#32712) 2025-09-18 13:04:22 -04:00
32274-denylisted-error Downgrade "denylisted" error to warning (#32276) 2025-08-25 13:45:36 -05:00
32280-duplicate-desktop-osqueryd When building Linux and macOS fleetd packages, removed duplicate copies of osqueryd and fleet-desktop (#32697) 2025-09-09 17:13:30 -05:00
32283-adjust-log-level-for-windows-mdm-soap-faults Bugfix: Downgrade soap fault logging to info with soap_fault field (#33101) 2025-09-22 11:50:45 -04:00
32296-optimize-list-script-results Optimized GetHostScriptExecutionResults MySQL query for for large numbers of script results. (#32595) 2025-09-04 15:48:18 -05:00
32313-otel-improvements OpenTelemetry minor improvements (#32324) 2025-08-28 19:32:46 -05:00
32331-otel-instrumentation Added OTEL support for cron jobs. (#33083) 2025-09-17 17:02:38 -05:00
32340-idp-label-fields-padding Improve the layout of the IdP-driven label form (#33092) 2025-09-17 14:18:22 -07:00
32379-vpp-table-edit-teams-not-blocked-in-gitops Block edit teams action in VPP table when in GitOps mode (#33345) 2025-09-25 14:45:27 +03:00
32419-fix-conditional-access-delete Fix conditional access deletion (#33481) 2025-09-26 13:02:52 -03:00
32420-entra-easy-to-understand-error-messages Add easy to understand errors when setting up Entra conditional access (#33453) 2025-09-25 22:52:28 -03:00
32478-fleetctl-gitops-globs-ignore-dry-run Do not allow positional arguments when running gitops (#32780) 2025-09-11 14:42:56 -04:00
32519-reconcile-android-profiles Feature branch for Android config profiles (#32976) 2025-09-22 11:29:57 -04:00
32542-windows-setup-experience Add support for Windows setup experience software (#33134) 2025-09-18 16:39:15 -03:00
32550-missing-ticket-options Fixed missing ticket integration options in Policies -> Other workflows modal for teams. (#32551) 2025-09-04 07:25:13 -05:00
32558-new-fma-omnissa Omnissa version fix (#32594) 2025-09-04 13:03:59 -04:00
32560-improve-batch-script-sorting Fix marking canceled batch scripts as finished (#32715) 2025-09-12 17:48:48 -05:00
32571-fix-gcs-support Fixing Google Cloud Storage (GCS) support (#32573) 2025-09-08 13:54:31 -03:00
32624-extra-space-on-DUP UI: Suppress empty element when no DUP banners present (#32627) 2025-09-05 11:34:51 -07:00
32630-add-border-around-empty-state add border to eua empty state (#33457) 2025-09-25 14:34:20 +03:00
32722-ui-smallstep Update UI for Smallstep CA feature (#33448) 2025-09-26 09:26:57 -05:00
32803-update-msg-delete-script-modal Updated message shown in the 'Delete Script' modal. (#33264) 2025-09-24 13:49:50 -04:00
32859-arch-linux-support Add initial Arch Linux support (#33096) 2025-09-18 18:55:31 -03:00
32862-arch-linux-software-ingestion Use new pacman table to ingest software from arch linux (#33238) 2025-09-23 10:28:32 -04:00
32924-align-policy-pass-fail-text-and-icons Make policy pass/fail icons and copy consistent across host details, my device, and manage policies tables (#32926) 2025-09-12 14:43:11 -07:00
32996-mdm-commands Fix bug in MDM command listing (#32992) 2025-09-15 15:12:03 -05:00
33147-increased-db-load Fixed MySQL DB performance regressions (#33184) 2025-09-19 15:35:05 -05:00
33244-query-param-required-mesage Use the query tag name instead of the field name (#33369) 2025-09-24 10:51:39 -04:00
33298-software-ingestion Software ingestion fixes (#33399) 2025-09-24 17:38:13 -05:00
308888-add-fullname-idp-fleet-variable Add full name IdP Fleet variable to Apple configuration profiles (#32246) 2025-08-26 17:55:58 +02:00
issue-24706-public-batch-modify-profiles create public endpoint for batch modify mdm config profiles (#32578) 2025-09-08 14:52:30 +01:00
issue-30944-integrate-cert-auth-api-frontend Hydrant CA Feature Branch (#31807) 2025-09-04 12:39:41 -04:00
issue-31166-add-user-icon-to-profiles add user scope icon to os profiles (#32647) 2025-09-05 14:53:39 +01:00
issue-32356-update-ui-android-user-card update host details and my device page to show users card for android devices (#32975) 2025-09-17 18:00:59 +01:00
jve-get-mdm-command-line-output Add --line flag to fleetctl get mdm-command-results (#31473) 2025-08-25 17:04:18 -04:00
private-key-secrets-manager Add support for reading private_key from AWS Secrets Manager (#31134) 2025-09-09 16:56:35 -05:00
update-go-1.25.1 Updated go to 1.25.1 (#32833) 2025-09-11 18:31:39 -05:00