From afb1a54e9bd6f29b28e398ec2f24efe4c32d1032 Mon Sep 17 00:00:00 2001
From: Kevin Chung <kchung@ctfd.io>
Date: Mon, 22 Nov 2021 17:16:21 -0500
Subject: [PATCH] Add a way to configure challenge attempt ratelimiting (#2024)

* Allow submissions per minute ratelimit to be configurable
* Closes #2014
---
 CTFd/api/v1/challenges.py                         | 3 ++-
 CTFd/forms/config.py                              | 5 +++++
 CTFd/themes/admin/templates/configs/accounts.html | 8 ++++++++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/CTFd/api/v1/challenges.py b/CTFd/api/v1/challenges.py
index 1b4067d3..e5594999 100644
--- a/CTFd/api/v1/challenges.py
+++ b/CTFd/api/v1/challenges.py
@@ -622,7 +622,8 @@ class ChallengeAttempt(Resource):
 
         # Anti-bruteforce / submitting Flags too quickly
         kpm = current_user.get_wrong_submissions_per_minute(user.account_id)
-        if kpm > 10:
+        kpm_limit = int(get_config("incorrect_submissions_per_min", default=10))
+        if kpm > kpm_limit:
             if ctftime():
                 chal_class.fail(
                     user=user, team=team, challenge=challenge, request=request
diff --git a/CTFd/forms/config.py b/CTFd/forms/config.py
index 2fb61cd1..da6e00ec 100644
--- a/CTFd/forms/config.py
+++ b/CTFd/forms/config.py
@@ -69,6 +69,11 @@ class AccountSettingsForm(BaseForm):
         choices=[("true", "Enabled"), ("false", "Disabled")],
         default="true",
     )
+    incorrect_submissions_per_min = IntegerField(
+        "Incorrect Submissions per Minute",
+        widget=NumberInput(min=1),
+        description="Amount of submissions allowed per minute for flag bruteforce protection (default: 10)",
+    )
 
     submit = SubmitField("Update")
 
diff --git a/CTFd/themes/admin/templates/configs/accounts.html b/CTFd/themes/admin/templates/configs/accounts.html
index 4f855220..756551a6 100644
--- a/CTFd/themes/admin/templates/configs/accounts.html
+++ b/CTFd/themes/admin/templates/configs/accounts.html
@@ -54,6 +54,14 @@
 			</small>
 		</div>
 
+		<div class="form-group">
+			{{ form.incorrect_submissions_per_min.label }}
+			{{ form.incorrect_submissions_per_min(class="form-control", value=incorrect_submissions_per_min) }}
+			<small class="form-text text-muted">
+				{{ form.incorrect_submissions_per_min.description }}
+			</small>
+		</div>
+
 		<div class="form-group">
 			{{ form.name_changes.label }}
 			{{ form.name_changes(class="form-control custom-select") }}