Add bruteforce protection to the shareinfo endpoint

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

diff --git a/apps/files_sharing/lib/Controller/ShareInfoController.php b/apps/files_sharing/lib/Controller/ShareInfoController.php
index 315a562abef3f0dd063cbc2c51d7b1ef40c6276c..0fe98a32c7d929d4b10e8f1e3cca5cffb99c10a0 100644 (file)
--- a/apps/files_sharing/lib/Controller/ShareInfoController.php
+++ b/apps/files_sharing/lib/Controller/ShareInfoController.php
@@ -48,7 +48,7 @@ class ShareInfoController extends ApiController {
         * @param IRequest $request
         * @param IManager $shareManager
         */
-       public function __construct($appName,
+       public function __construct(string $appName,
                                                                IRequest $request,
                                                                IManager $shareManager) {
                parent::__construct($appName, $request);
@@ -59,26 +59,32 @@ class ShareInfoController extends ApiController {
        /**
         * @PublicPage
         * @NoCSRFRequired
+        * @BruteForceProtection(action=shareinfo)
         *
         * @param string $t
         * @param null $password
         * @param null $dir
         * @return JSONResponse
-        * @throws ShareNotFound
         */
        public function info($t, $password = null, $dir = null) {
                try {
                        $share = $this->shareManager->getShareByToken($t);
                } catch (ShareNotFound $e) {
-                       return new JSONResponse([], Http::STATUS_NOT_FOUND);
+                       $response = new JSONResponse([], Http::STATUS_NOT_FOUND);
+                       $response->throttle(['token' => $t]);
+                       return $response;
                }
 
                if ($share->getPassword() && !$this->shareManager->checkPassword($share, $password)) {
-                       return new JSONResponse([], Http::STATUS_FORBIDDEN);
+                       $response = new JSONResponse([], Http::STATUS_FORBIDDEN);
+                       $response->throttle(['token' => $t]);
+                       return $response;
                }
 
                if (!($share->getPermissions() & Constants::PERMISSION_READ)) {
-                       return new JSONResponse([], Http::STATUS_FORBIDDEN);
+                       $response = new JSONResponse([], Http::STATUS_FORBIDDEN);
+                       $response->throttle(['token' => $t]);
+                       return $response;
                }
 
                $permissionMask = $share->getPermissions();

diff --git a/apps/files_sharing/tests/Controller/ShareInfoControllerTest.php b/apps/files_sharing/tests/Controller/ShareInfoControllerTest.php
index 9ea93b9900ab5ef8f3e863a847f8f940592c66c8..5de04d8444b101c1ba9d377f2a632b8cfd0e7cc2 100644 (file)
--- a/apps/files_sharing/tests/Controller/ShareInfoControllerTest.php
+++ b/apps/files_sharing/tests/Controller/ShareInfoControllerTest.php
@@ -66,6 +66,7 @@ class ShareInfoControllerTest extends TestCase {
                        ->willThrowException(new ShareNotFound());
 
                $expected = new JSONResponse([], Http::STATUS_NOT_FOUND);
+               $expected->throttle(['token' => 'token']);
                $this->assertEquals($expected, $this->controller->info('token'));
        }
 
@@ -82,6 +83,7 @@ class ShareInfoControllerTest extends TestCase {
                        ->willReturn(false);
 
                $expected = new JSONResponse([], Http::STATUS_FORBIDDEN);
+               $expected->throttle(['token' => 'token']);
                $this->assertEquals($expected, $this->controller->info('token', 'pass'));
        }
 
@@ -100,6 +102,7 @@ class ShareInfoControllerTest extends TestCase {
                        ->willReturn(true);
 
                $expected = new JSONResponse([], Http::STATUS_FORBIDDEN);
+               $expected->throttle(['token' => 'token']);
                $this->assertEquals($expected, $this->controller->info('token', 'pass'));
        }