Severity: HIGH
Summary
The TOTP brute-force rate limiter in openssl_encrypt_server/modules/pepper/totp.py at lines 47-98 uses an in-memory defaultdict(list) as a class variable.
Affected Code
class TOTPRateLimiter:
def __init__(self, ...):
self.attempts: Dict[str, List[datetime]] = defaultdict(list)
self.lockouts: Dict[str, datetime] = {}
class TOTPService:
_rate_limiter = TOTPRateLimiter() # Class variable, in-memory onlyImpact
- Rate limit state is not shared across multiple server instances/workers — an attacker can distribute attempts
- All rate limit state is lost on server restart — allows immediate retry
- In multi-worker deployments, each worker has independent rate limit state
Recommended Fix
- Use Redis or the database for rate limit state storage
- Or use a shared-memory approach for multi-worker deployments
- At minimum, persist lockout state to survive restarts
Fix
Fixed in commit 2749bc0 on branch releases/1.4.x — added abstract RateLimitBackend with InMemoryBackend and DatabaseBackend implementations; defaults to DatabaseBackend when DB available.
References
Severity: HIGH
Summary
The TOTP brute-force rate limiter in
openssl_encrypt_server/modules/pepper/totp.pyat lines 47-98 uses an in-memorydefaultdict(list)as a class variable.Affected Code
Impact
Recommended Fix
Fix
Fixed in commit
2749bc0on branchreleases/1.4.x— added abstract RateLimitBackend with InMemoryBackend and DatabaseBackend implementations; defaults to DatabaseBackend when DB available.References