mirror of https://github.com/interlegis/sapl.git
Tree:
f520c11be3
2756-status-materia-pauta
2989-adicionado-presenca-em-reunioes-3.1.x
3.1.162-patch
3.1.x
3007-Adcionando-mudança-de-apresentaçã0-de-oradores-painel
3058-refatorar-tela-composicao-de-comissao-para-vue
3217-registro-numeracao
3268-result-votacao
3279-leitura-em-bloco
3299-orderby-explicito
3828_refatorar_mesa_diretora
AlertaSonoroPainel
MateriaDiscussao
OsTicket_#635416
Reuniao_frente_3364
StringsNaoFormatadas
Websocket_painel
adicionar-cron-job
bump_django
centraliza_resultado
configuracao_impressao
cron-update-solr-index
deduplica_comissao
dependabot/npm_and_yarn/diff-8.0.3
dependabot/npm_and_yarn/js-yaml-4.1.1
dependabot/npm_and_yarn/lodash-4.17.23
dependabot/npm_and_yarn/multi-c8afcbbcd8
dependabot/npm_and_yarn/node-forge-1.3.2
dependabot/pip/requirements/django-4.2.26
dependabot/pip/requirements/weasyprint-68.0
django-celery
faceted-search-2
file-metafields
fixes_protocolo_materia
form-appconfig
frontend_assets
impressao-materia-tramitacao
insere_ano_numeracao_audiencia_publica
issue#3396
issue#3438
js-update
legislatura-fevereiro
master
merged-migrations-2021
mesa-vuejs
migracao
performance-relatorios
pesquisar-auditlog
rate-limiter-2026
refatora-relatorio-tramitacao
refatora-relatorios-pauta-sessao
sapl-logs
script-comissao
script-migracao-norma-materia
situacao-pauta
tela-config-relatorio
tipo-proposicao
upgrade-sapl
upgrade-sapl-sync-2026-02-25
valida-html
vuejs_painel
3.1.0-BETA
3.1.0-alpha
3.1.1-BETA
3.1.1-alpha
3.1.10-BETA
3.1.100
3.1.101
3.1.102
3.1.103
3.1.104
3.1.105
3.1.106
3.1.107
3.1.108
3.1.109
3.1.11-BETA
3.1.110
3.1.111
3.1.112
3.1.113
3.1.113-ALPHA
3.1.114
3.1.115
3.1.116
3.1.117
3.1.118
3.1.119
3.1.12-BETA
3.1.120
3.1.121
3.1.122
3.1.123
3.1.124
3.1.125
3.1.126
3.1.127
3.1.128
3.1.129
3.1.13-BETA
3.1.130
3.1.131
3.1.132
3.1.133
3.1.134
3.1.135
3.1.136
3.1.137
3.1.138
3.1.139
3.1.14-BETA
3.1.140
3.1.141
3.1.142
3.1.143
3.1.144
3.1.145
3.1.146
3.1.147
3.1.148
3.1.149
3.1.15-BETA
3.1.150
3.1.151
3.1.152
3.1.153
3.1.154
3.1.155
3.1.156
3.1.157
3.1.157-RC0
3.1.157-RC1
3.1.157-RC2
3.1.157-RC3
3.1.157-RC4
3.1.157-RC5
3.1.158
3.1.159
3.1.159-RC0
3.1.159-RC1
3.1.159-RC2
3.1.159-RC3
3.1.16-BETA
3.1.160
3.1.160-RC0
3.1.160-RC1
3.1.160-RC10
3.1.160-RC11
3.1.160-RC12
3.1.160-RC13
3.1.160-RC14
3.1.160-RC15
3.1.160-RC2
3.1.160-RC4
3.1.160-RC5
3.1.160-RC6
3.1.160-RC7
3.1.160-RC8
3.1.160-RC9
3.1.161
3.1.161-RC0
3.1.161-RC1
3.1.161-RC10
3.1.161-RC11
3.1.161-RC12
3.1.161-RC13
3.1.161-RC14
3.1.161-RC15
3.1.161-RC16
3.1.161-RC17
3.1.161-RC18
3.1.161-RC19
3.1.161-RC2
3.1.161-RC20
3.1.161-RC3
3.1.161-RC4
3.1.161-RC5
3.1.161-RC6
3.1.161-RC7
3.1.161-RC8
3.1.161-RC9
3.1.162
3.1.162-RC0
3.1.162-RC1
3.1.162-RC10
3.1.162-RC11
3.1.162-RC12
3.1.162-RC13
3.1.162-RC14
3.1.162-RC15
3.1.162-RC16
3.1.162-RC17
3.1.162-RC18
3.1.162-RC19
3.1.162-RC2
3.1.162-RC20
3.1.162-RC3
3.1.162-RC4
3.1.162-RC5
3.1.162-RC6
3.1.162-RC7
3.1.162-RC8
3.1.162-RC9
3.1.163
3.1.163-RC1
3.1.163-RC10
3.1.163-RC11
3.1.163-RC12
3.1.163-RC13
3.1.163-RC14
3.1.163-RC15
3.1.163-RC16
3.1.163-RC17
3.1.163-RC18
3.1.163-RC19
3.1.163-RC2
3.1.163-RC20
3.1.163-RC21
3.1.163-RC22
3.1.163-RC23
3.1.163-RC24
3.1.163-RC3
3.1.163-RC4
3.1.163-RC5
3.1.163-RC6
3.1.163-RC7
3.1.163-RC8
3.1.163-RC9
3.1.164-RC0
3.1.164-RC1
3.1.164-RC2
3.1.164-RC2-test
3.1.164-RC3
3.1.164-RC4
3.1.164-RC5
3.1.164-alpha
3.1.165-RC0
3.1.165-RC1
3.1.165-RC2
3.1.17-BETA
3.1.18-BETA
3.1.19-BETA
3.1.2-BETA
3.1.20-BETA
3.1.21-BETA
3.1.22-BETA
3.1.23-BETA
3.1.24-BETA
3.1.25-BETA
3.1.26-BETA
3.1.27-BETA
3.1.28-BETA
3.1.29-BETA
3.1.3-BETA
3.1.30-BETA
3.1.31-BETA
3.1.32-BETA
3.1.33-BETA
3.1.34-BETA
3.1.35-BETA
3.1.36-BETA
3.1.37-BETA
3.1.38-BETA
3.1.39-BETA
3.1.4-BETA
3.1.40-BETA
3.1.41-BETA
3.1.42-BETA
3.1.43-BETA
3.1.44-BETA
3.1.45
3.1.46
3.1.47
3.1.48
3.1.49
3.1.5-BETA
3.1.50
3.1.51
3.1.52
3.1.53
3.1.54
3.1.55
3.1.56
3.1.57
3.1.58
3.1.59
3.1.6-BETA
3.1.60
3.1.61
3.1.62
3.1.63
3.1.64
3.1.65
3.1.66
3.1.67
3.1.68
3.1.69
3.1.7-BETA
3.1.70
3.1.71
3.1.72
3.1.73
3.1.74
3.1.75
3.1.76
3.1.77
3.1.78
3.1.79
3.1.8-BETA
3.1.80
3.1.81
3.1.82
3.1.83
3.1.84
3.1.85
3.1.86
3.1.87
3.1.88
3.1.89
3.1.9-BETA
3.1.90
3.1.91
3.1.92
3.1.93
3.1.94
3.1.95
3.1.96
3.1.97
3.1.98
3.1.99
${ noResults }
7 Commits (f520c11be3765ea560f5fdca0aa0ea8a30636b64)
| Author | SHA1 | Message | Date |
|---|---|---|---|
 Edward Ribeiro
|
f520c11be3 |
Add painel/dados bypass, Django block metrics, and layer tracking in logs
- nginx: exempt /painel/<pk>/dados from rate limiting (polling endpoint,
will become WebSocket); dedicated location block with no limit_req
- ratelimit.py: bypass RATE_LIMIT_BYPASS_PATHS paths before _evaluate;
add layer=django to block log; increment daily Redis metrics counter
rl:metrics:{ns}:{date}:blocked:{reason} (TTL 8 days) on every block
- ratelimit.py: add quiltbot and AwarioBot to BOT_UA_FRAGMENTS
- ratelimit.py: fix _is_suspicious_headers to require missing UA before blocking
- settings: add RATE_LIMIT_BYPASS_PATHS with /painel/<pk>/dados pattern
- plan: extend UA blocklist SADD seed command with missing bot tokens
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
1 week ago |
|
Edward Ribeiro
|
e6dff2bc00 |
Fix Redis configmap inline comment, clean cache key format, add blocked-IP scan to plan
- redis-configmap: move inline comment to its own line (Redis fatal parse error) - settings: add CACHE_MIDDLEWARE_KEY_PREFIX='p' to remove double-dot in cache_page keys - settings: monkey-patch _i18n_cache_key_suffix to strip pt-br/timezone suffix from keys - ratelimit.py, settings: update example namespace from patobranco-pr to sapl31demo-df - robots.txt: add AwarioSmartBot block - plan: add rl:ip:*:blocked scan commands with TTL/value output Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
2 weeks ago |
|
Edward Ribeiro
|
ff8eaf171d |
Rename nginx internal media path and simplify file serving in views
Renames /private/media/ to /internal/media/ in nginx and serve_media(). Adds Content-Type and Content-Disposition to the X-Accel-Redirect response. Replaces manual file reads in proposicao_texto and doc_texto_integral with redirects to the media URL, removing the unused get_mime_type_from_file_extension helper. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
2 weeks ago |
|
Edward Ribeiro
|
f838a71d05 |
Fix norma etag field and media private path
- _norma_last_modified: use ultima_edicao instead of data_ultima_atualizacao - serve_media: gate on sapl/private/ instead of documentos_privados/ - plan: update norma freshness field reference Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
2 weeks ago |
|
Edward Ribeiro
|
a9416f5ad2 |
Phase 7: HTTP conditional requests, static caching, nginx cleanup
- ConditionalGetMiddleware added to MIDDLEWARE (ETag/304 for all views) - @condition(etag_func, last_modified_func) on MateriaLegislativa and NormaJuridica detail views — skips view execution on cache hit via data_ultima_atualizacao (auto_now=True) as freshness signal - nginx /static/: expires 90m + Cache-Control public, max-age=5400 - nginx: removed upload-endpoint special-casing (location ~* ^/(protocoloadm/criar-protocolo|...)) - plan/RATE-LIMITER-PLAN.md updated to reflect all Phase 7 changes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
2 weeks ago |
|
Edward Ribeiro
|
c5eea025ab |
Phase 6: scanner probe blocking, plan consolidation, and flow diagram
Code:
- Block IPs dynamically on scanner extension probes (.php, .asp, .aspx,
.jsp, .cgi, .env) — writes rl:ip:{ip}:blocked on first hit; subsequent
requests short-circuit at check 2 with zero counting overhead
- Add RATE_LIMIT_SCANNER_EXTENSIONS setting (space-separated, env-overridable)
- Import os in ratelimit.py for os.path.splitext
Plan (RATE_LIMITER_PLAN.md → RATE-LIMITER-PLAN.md):
- Rename to kebab-case for consistency with rate-limiter-v2.md
- Merge missing content from rate-limiter-v2.md: context & problem statement,
component diagram (DB0/DB1 split), decision log, Gunicorn tuning, nginx
real-IP fixes, upload settings, N+1 fix (synced to actual implementation),
enforcement graduation order, decorator migration table, file serving
decision matrix, dynamic page caching guidelines, open questions
- Add Mermaid decision flow diagram for RateLimitMiddleware._evaluate()
- Add rationale section for rl:{ns}:ip:{ip}:w:{bucket} namespace scoping
(5 arguments covering attack pattern match, gaming resistance, key
orthogonality, multi-portal fairness, and isolation contract)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
3 weeks ago |
|
Edward Ribeiro
|
64c9b241fa |
Phase 5: X-Accel-Redirect for /media/, UA Redis deny list, per-path counters
nginx: - /media/ proxied through Gunicorn (sapl_general rate limit) instead of direct alias — Django middleware now runs on every media request - /_accel/media/ internal location serves file bytes via X-Accel-Redirect sapl/base/media.py (new): - serve_media() gate: path traversal guard, auth redirect for documentos_privados/, per-path Redis counter, content-type metadata cache, X-Accel-Redirect response; falls back to Django serve() in DEBUG sapl/middleware/ratelimit.py: - RL_PATH_REQUESTS, RL_UA_BLOCKLIST, FILE_META_KEY constants - _incr_with_ttl() extracted to module level (reused by media.py) - Runtime UA deny list: _refresh_ua_blocklist() fetches rl:bot:ua:blocked SET from Redis (SMEMBERS, cached per worker, TTL=RATE_LIMITER_UA_BLOCKLIST_REFRESH); _is_redis_blocked_ua() tokenises UA and checks sha256 of each token sapl/settings.py: - RATE_LIMITER_UA_BLOCKLIST_REFRESH, MEDIA_PATH_COUNTER_TTL, MEDIA_FILE_CACHE_TTL added (all env-tunable via config()) plan/RATE_LIMITER_PLAN.md: - Key schema table updated; media file serving section added; decision flow documented; UA deny list seed section expanded Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
3 weeks ago |