How can we prevent attackers to submitting live components URLs directly? about ux HOT 4 CLOSED

I'll try to answer, but keep in mind depending on your components, your needs, ..et some of those points may not be relatable to your project

• you can add a RateLimiter in your components (they are service, so you can inject a RateLimiter inside one specific component, or -probably better- you can leverage one of the available events and create a shared Listener for this)
• you may want to restrict this URL to specific users (authenticated, or by IP, header...) with firewall + access control rules
• you can enable CSRF verification for your component actions
• you could set a global request control in your app that triggers custom HTTP codes + a ban system (fail2ban-like)
• you could also ban on your web server / host IP's that you often see trying some "malicious" things as you said

On your app side, there is no risk of SQL injection if you're using DTO's or scalars ..

For Doctrine entities if you use query builder or predefined repository functions neither (the string values will be escaped by Doctrine before beeing set.. and should probably not pass your entity validation constraints i guess).

In the end, a live component URL is like any controller URL in symfony, and you can leverage all the usual tools provided by Symfony / your server to control.

Concerning the error log messages: are they just "404" errors or is there something more suspicious here ?

from ux.

@rajansharmax could you provide more details to security [at] symfony.com?

from ux.

is there a way to stop this or any rate limiter?

from ux.

So the attacker added the live component URL to the bot, and maybe they are trying to inject a SQL query. so my questions is: how can we prevent these kind of form submissions. We are getting a lot of error log messages.

Is there any rate limiter for this, or do we need to add rate limiters on the server??

from ux.