UKGovernmentBEIS / beis-report-official-development-assistance

98%

develop: 99%

LAST BUILD ON BRANCH 3020-prevent-brute-force-otp-attack

branch: 3020-prevent-brute-force-otp-attack

CHANGE BRANCH

x

Reset

• 3020-prevent-brute-force-otp-attack
• 1487-implementation-of-roda-email-notifications
• 2761-sourcemaps-for-js
• 2936-documentation
• 2965-clean-up-some-leftover-mentions-of-isfp-in-stealth-mode
• 2978-set-x-xss-protection-header-to-0
• 2985-flaky-spec-level-b-budget-comments
• 2990-delete-programmescontroller
• 2997-the-filename-of-the-csv-report
• 3000-application-health-check
• 3005-new-dsit-org-id
• 3005-support-parallel-service-owner-refs
• 3005-update-service-owner-org
• 3006-change-continuing-activities
• 3006-fix-list-of-noncontinuing-activities
• 3006-list-continuing-activities
• 3006-list-non-continuing-activities
• 3009-level-c-and-d-budgets-display-budgets-as-activity-budgets
• 3014-remove-the-odabulkupload-feature-flag
• 3019-change-what-identifier-is-used-as-iati-identifier-in-xmls
• 3021-get-rid-of-unauthorised-host-error
• 3036-remove-the-ad-hoc-exports
• 3049/data-migrate-organisation
• 3076-clear-deprecation-warnings
• 3096-fix-import-duplicate-countries
• 3099-upgrade-devise-two-factor-to-5x
• allow-editing-reportless-budget
• chore-lock-redis-version
• chore/3008-add-sap-tag
• chore/add-coveralls-to-updated-ci
• chore/developers-do-have-console
• chore/document-feature-flags
• chore/refactor-active-deactivated-scopes
• chore/remove-pry-fix
• chore/remove-unused-workflows
• chore/set-theme-colour
• chore/stop-compiling-assets-in-test
• chore/switch-to-zeitwerk
• chore/update-background-jobs-docs
• chore/update-ci-readme-badge
• chore/update-docs-to-include-region
• chore/update-factory-bot-rails
• chore/update-hosting-documentation
• chore/update-mailer-content
• chore/update-node-version
• chore/update-rails-6-1-7-10
• chore/update-readme-nov-24
• chore/update-readme-with-repo-access
• chore/update-redis-and-related
• chore/update-ruby-3.3.6
• chore/update-standard-ruby
• chore/upgrade-ruby
• chore/upgrade-to-rails-7.0
• chore/use-rails-6.1-defaults
• chore/zen-20045-change-100-po-ids
• chore/zen-20045-mk2-change-100-po-ids
• clean-up
• dependabot/bundler/actionmailer-6.1.7.9
• dependabot/bundler/actionpack-6.1.7.9
• dependabot/bundler/actiontext-6.1.7.9
• dependabot/bundler/activerecord-8.0.2.1
• dependabot/bundler/activestorage-6.1.7.7
• dependabot/bundler/activestorage-8.0.2.1
• dependabot/bundler/addressable-2.8.6
• dependabot/bundler/addressable-2.8.7
• dependabot/bundler/audited-5.4.3
• dependabot/bundler/aws-sdk-s3-1.140.0
• dependabot/bundler/aws-sdk-s3-1.141.0
• dependabot/bundler/aws-sdk-s3-1.142.0
• dependabot/bundler/aws-sdk-s3-1.143.0
• dependabot/bundler/aws-sdk-s3-1.170.0
• dependabot/bundler/aws-sdk-s3-1.170.1
• dependabot/bundler/aws-sdk-s3-1.173.0
• dependabot/bundler/aws-sdk-s3-1.174.0
• dependabot/bundler/aws-sdk-s3-1.175.0
• dependabot/bundler/aws-sdk-s3-1.176.0
• dependabot/bundler/aws-sdk-s3-1.176.1
• dependabot/bundler/aws-sdk-s3-1.177.0
• dependabot/bundler/aws-sdk-s3-1.178.0
• dependabot/bundler/aws-sdk-s3-1.179.0
• dependabot/bundler/aws-sdk-s3-1.180.0
• dependabot/bundler/aws-sdk-s3-1.181.0
• dependabot/bundler/aws-sdk-s3-1.182.0
• dependabot/bundler/aws-sdk-s3-1.183.0
• dependabot/bundler/aws-sdk-s3-1.184.0
• dependabot/bundler/aws-sdk-s3-1.185.0
• dependabot/bundler/aws-sdk-s3-1.186.0
• dependabot/bundler/aws-sdk-s3-1.186.1
• dependabot/bundler/aws-sdk-s3-1.188.0
• dependabot/bundler/aws-sdk-s3-1.189.0
• dependabot/bundler/aws-sdk-s3-1.189.1
• dependabot/bundler/aws-sdk-s3-1.190.0
• dependabot/bundler/aws-sdk-s3-1.191.0
• dependabot/bundler/aws-sdk-s3-1.192.0
• dependabot/bundler/aws-sdk-s3-1.193.0
• dependabot/bundler/aws-sdk-s3-1.194.0
• dependabot/bundler/aws-sdk-s3-1.195.0
• dependabot/bundler/aws-sdk-s3-1.196.0
• dependabot/bundler/aws-sdk-s3-1.196.1
• dependabot/bundler/aws-sdk-s3-1.198.0
• dependabot/bundler/aws-sdk-s3-1.199.0
• dependabot/bundler/aws-sdk-s3-1.199.1
• dependabot/bundler/binding_of_caller-1.0.1
• dependabot/bundler/bootsnap-1.17.1
• dependabot/bundler/bootsnap-1.18.1
• dependabot/bundler/bootsnap-1.18.4
• dependabot/bundler/brakeman-6.1.0
• dependabot/bundler/brakeman-6.1.1
• dependabot/bundler/brakeman-7.0.0
• dependabot/bundler/bullet-7.1.5
• dependabot/bundler/bullet-7.1.6
• dependabot/bundler/bullet-8.0.0
• dependabot/bundler/capybara-3.40.0
• dependabot/bundler/cssbundling-rails-1.4.0
• dependabot/bundler/cssbundling-rails-1.4.1
• dependabot/bundler/cssbundling-rails-1.4.2
• dependabot/bundler/cssbundling-rails-1.4.3
• dependabot/bundler/csv-safe-3.3.1
• dependabot/bundler/database_cleaner-2.1.0
• dependabot/bundler/devise-4.9.4
• dependabot/bundler/dotenv-rails-3.1.6
• dependabot/bundler/dotenv-rails-3.1.7
• dependabot/bundler/factory_bot_rails-6.4.4
• dependabot/bundler/faker-3.2.3
• dependabot/bundler/faker-3.5.1
• dependabot/bundler/foreman-0.88.1
• dependabot/bundler/govuk_design_system_formbuilder-5.0.0
• dependabot/bundler/govuk_design_system_formbuilder-5.7.1
• dependabot/bundler/govuk_design_system_formbuilder-5.8.0
• dependabot/bundler/high_voltage-4.0.0
• dependabot/bundler/i18n-tasks-1.0.14
• dependabot/bundler/ipaddr-1.2.6
• dependabot/bundler/ipaddr-1.2.7
• dependabot/bundler/jsbundling-rails-1.2.2
• dependabot/bundler/jsbundling-rails-1.3.0
• dependabot/bundler/jsbundling-rails-1.3.1
• dependabot/bundler/json-2.10.2
• dependabot/bundler/launchy-3.0.1
• dependabot/bundler/launchy-3.1.0
• dependabot/bundler/launchy-3.1.1
• dependabot/bundler/listen-3.9.0
• dependabot/bundler/mail-notify-2.0.0
• dependabot/bundler/mini_racer-0.18.0
• dependabot/bundler/mini_racer-0.18.1
• dependabot/bundler/mini_racer-0.19.0
• dependabot/bundler/monetize-1.13.0
• dependabot/bundler/net-imap-0.5.6
• dependabot/bundler/nokogiri-1.18.3
• dependabot/bundler/nokogiri-1.18.4
• dependabot/bundler/nokogiri-1.18.8
• dependabot/bundler/nokogiri-1.18.9
• dependabot/bundler/notifications-ruby-client-6.2.0
• dependabot/bundler/pg-1.5.9
• dependabot/bundler/pry-rails-0.3.11
• dependabot/bundler/puma-6.4.1
• dependabot/bundler/puma-6.4.2
• dependabot/bundler/puma-6.4.3
• dependabot/bundler/puma-6.5.0
• dependabot/bundler/puma-6.6.0
• dependabot/bundler/pundit-2.4.0
• dependabot/bundler/pundit-2.5.0
• dependabot/bundler/pundit-2.5.1
• dependabot/bundler/pundit-2.5.2
• dependabot/bundler/pundit-matchers-4.0.0
• dependabot/bundler/rack-2.2.11
• dependabot/bundler/rack-2.2.12
• dependabot/bundler/rack-2.2.13
• dependabot/bundler/rack-2.2.14
• dependabot/bundler/rack-2.2.18
• dependabot/bundler/rails-html-sanitizer-1.6.1
• dependabot/bundler/redis-5.4.0
• dependabot/bundler/redis-5.4.1
• dependabot/bundler/redis-actionpack-5.4.0
• dependabot/bundler/redis-actionpack-5.5.0
• dependabot/bundler/redis-store-1.11.0
• dependabot/bundler/rexml-3.3.9
• dependabot/bundler/rollbar-3.4.2
• dependabot/bundler/rollbar-3.5.1
• dependabot/bundler/rollbar-3.6.0
• dependabot/bundler/rollbar-3.6.1
• dependabot/bundler/rspec-rails-6.1.1
• dependabot/bundler/rspec-rails-6.1.5
• dependabot/bundler/rspec-rails-7.1.1
• dependabot/bundler/selenium-webdriver-4.16.0
• dependabot/bundler/selenium-webdriver-4.17.0
• dependabot/bundler/selenium-webdriver-4.26.0
• dependabot/bundler/selenium-webdriver-4.27.0
• dependabot/bundler/selenium-webdriver-4.28.0
• dependabot/bundler/selenium-webdriver-4.29.0
• dependabot/bundler/selenium-webdriver-4.29.1
• dependabot/bundler/selenium-webdriver-4.30.1
• dependabot/bundler/selenium-webdriver-4.31.0
• dependabot/bundler/selenium-webdriver-4.32.0
• dependabot/bundler/selenium-webdriver-4.33.0
• dependabot/bundler/selenium-webdriver-4.34.0
• dependabot/bundler/selenium-webdriver-4.35.0
• dependabot/bundler/selenium-webdriver-4.36.0
• dependabot/bundler/shoulda-matchers-6.0.0
• dependabot/bundler/shoulda-matchers-6.1.0
• dependabot/bundler/shoulda-matchers-6.4.0
• dependabot/bundler/simplecov-0.22.0
• dependabot/bundler/spring-4.2.1
• dependabot/bundler/standard-1.42.1
• dependabot/bundler/standard-1.43.0
• dependabot/bundler/standard-1.44.0
• dependabot/bundler/standard-1.45.0
• dependabot/bundler/standard-1.47.0
• dependabot/bundler/standard-1.49.0
• dependabot/bundler/standard-1.50.0
• dependabot/bundler/standard-1.51.1
• dependabot/bundler/strip_attributes-1.14.0
• dependabot/bundler/strip_attributes-1.14.1
• dependabot/bundler/strip_attributes-2.0.1
• dependabot/bundler/thor-1.4.0
• dependabot/bundler/uri-1.0.3
• dependabot/bundler/webmock-3.24.0
• dependabot/bundler/webmock-3.25.0
• dependabot/github_actions/actions/cache-4
• dependabot/github_actions/actions/checkout-5
• dependabot/github_actions/peter-evans/create-or-update-comment-4
• dependabot/npm_and_yarn/babel/helpers-7.27.0
• dependabot/npm_and_yarn/babel/runtime-7.26.10
• dependabot/npm_and_yarn/braces-3.0.3
• dependabot/npm_and_yarn/rollup-3.29.5
• dependabot/npm_and_yarn/serialize-javascript-6.0.2
• develop
• devise-2fa-5x-cleanup
• editorconfig
• feature/2929-iati-published-state-in-report-csv-export
• feature/2931-actual-refund-comment-csv-file-import-service
• feature/2931-actual-refund-comment-csv-row-import-service
• feature/2931-actuals-cannot-be-negative
• feature/2931-feature-flag-for-new-import-service
• feature/2931-model-csv-actual-refund-comment-row-from-csv
• feature/2931-model-csv-financial-values
• feature/2932-add-iati-scope-to-xml
• feature/3023-view-updates-for-new-importer
• feature/adr-anonymising-users
• feature/anonymise-users-background-job
• feature/change-activated-deactivated-user-interactions
• feature/countries-on-iati-xml
• feature/data-migration-allow-users-to-have-additional-organisations
• feature/data-migration-to-allow-users-to-have-additional-organisations
• feature/deactivated-users-can-be-anonymised
• feature/multiple-organisations-admin-ui
• feature/remove-rollout-check-for-level-b-exports
• feature/show-deactivated-duration
• feature/switch-organisations-frontend
• feature/update-user-for-anonymisation
• feature/users-separated-by-tabs
• feature/warn-when-user-assigned-to-dsit
• fix-link-scope
• fix-rails-ujs-links-not-working
• fix-setup-script
• fix-user-org-show-page
• fix/2977-missing-error-summary-matched-effort
• fix/2995-flakey-otp-sign-in-spec
• fix/2996-currency-code-seed
• fix/allow-older-activity-dates
• fix/complile-assets
• fix/coveralls
• fix/decouple-level-d-publishing
• fix/disable-eolrails-brakeman-check
• fix/flaky-healthcheck-spec
• fix/healthcheck-spec
• fix/iati-xml-countries-fix
• fix/kpi
• fix/kpi_script
• fix/minor-documentation-issues
• fix/revert-failing-commit
• fix/uncouple-levels-publishing
• fix/update-iati-xml-details
• fix/users-list-shows-wrong-organisation
• fix/welcome-email
• flaky-specs-iati_reference
• handle-case-insensitivity-in-kpi-script
• hotfix-add-sap-tag
• kpi-script-updates
• level-b-budget-columns
• level-b-exports
• level-b-fixes
• level-b-partner-org
• linked-activity-level-b
• loosen-budget-editing-policy
• main
• make-factory-more-accurate
• migrate-to-rails71-defaults
• migration/fix-dsit-beis-forecasts
• proper-data-migration
• rails71
• rails72
• rails8
• reassociate-activites-with-partners
• refactor/download-link-mailer
• relase-159
• release-140
• release-141
• release-142
• release-143
• release-144
• release-145
• release-146
• release-147
• release-148
• release-149
• release-150
• release-151
• release-152
• release-153
• release-154
• release-155
• release-156
• release-157
• release-158
• release-159
• release-160
• release-161
• release-162
• release-163
• release-164
• release-165
• release-166
• release-167
• release-168
• release-169
• release-170
• release-171
• release-172
• release-174
• release-175
• release-176
• release-177
• release-178
• release-179
• release-180
• release-181
• release-182
• release-183
• revert-3005
• revert-failing-migration
• revert-service-owner-migration
• spike-users-separated-by-tabs
• turn-off-rails71-callback-checking
• update-deployment-process
• update-govuk-frontend-to-fix-password-show
• upgrade-to-devise-6.x
• upgrade-to-rails70-defaults
• upgrade-to-rails71-defaults

Build # 7654704579

Build Type

Pull #2322

github

Committed by CristinaRO

Commit Message

Minimal Rack:Attack configuration

Prevent brute-force login attacks.

Once we have confirmed that this works as intended and doesn't block
legitimate users, and once we have configured the environment variables
on all environments, we can remove the fallbacks, to avoid giving the
potential attackers any clues on how to refine their attempts.

Pull Request Pull Request #2322: (3020) Prevent brute force login attack

Run Details

6948 of 7086 relevant lines covered (98.05%)

953.24 hits per line