manual backport of #35057

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>

diff --git a/lib/private/AppFramework/DependencyInjection/DIContainer.php b/lib/private/AppFramework/DependencyInjection/DIContainer.php
index e06d5226a28f06c02e056d328f3dea048f8204bd..55278dabad5e283c30286b5ccb49adf0c460c9c4 100644 (file)
--- a/lib/private/AppFramework/DependencyInjection/DIContainer.php
+++ b/lib/private/AppFramework/DependencyInjection/DIContainer.php
@@ -301,7 +301,8 @@ class DIContainer extends SimpleContainer implements IAppContainer {
                                new OC\AppFramework\Middleware\PublicShare\PublicShareMiddleware(
                                        $c->get(IRequest::class),
                                        $c->get(ISession::class),
-                                       $c->get(\OCP\IConfig::class)
+                                       $c->get(\OCP\IConfig::class),
+                                       $c->get(OC\Security\Bruteforce\Throttler::class)
                                )
                        );
                        $dispatcher->registerMiddleware(

diff --git a/lib/private/AppFramework/Middleware/PublicShare/PublicShareMiddleware.php b/lib/private/AppFramework/Middleware/PublicShare/PublicShareMiddleware.php
index d3beb4fd3a8ec64e4f980676d83097e4a536d6bd..f20bd333452d9497d17ecc4c537238d546c26fad 100644 (file)
--- a/lib/private/AppFramework/Middleware/PublicShare/PublicShareMiddleware.php
+++ b/lib/private/AppFramework/Middleware/PublicShare/PublicShareMiddleware.php
@@ -24,6 +24,7 @@
 namespace OC\AppFramework\Middleware\PublicShare;
 
 use OC\AppFramework\Middleware\PublicShare\Exceptions\NeedAuthenticationException;
+use OC\Security\Bruteforce\Throttler;
 use OCP\AppFramework\AuthPublicShareController;
 use OCP\AppFramework\Http\NotFoundResponse;
 use OCP\AppFramework\Middleware;
@@ -43,10 +44,14 @@ class PublicShareMiddleware extends Middleware {
        /** @var IConfig */
        private $config;
 
-       public function __construct(IRequest $request, ISession $session, IConfig $config) {
+       /** @var Throttler */
+       private $throttler;
+
+       public function __construct(IRequest $request, ISession $session, IConfig $config, Throttler $throttler) {
                $this->request = $request;
                $this->session = $session;
                $this->config = $config;
+               $this->throttler = $throttler;
        }
 
        public function beforeController($controller, $methodName) {
@@ -54,6 +59,11 @@ class PublicShareMiddleware extends Middleware {
                        return;
                }
 
+               $controllerClassPath = explode('\\', get_class($controller));
+               $controllerShortClass = end($controllerClassPath);
+               $bruteforceProtectionAction = $controllerShortClass . '::' . $methodName;
+               $this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), $bruteforceProtectionAction);
+
                if (!$this->isLinkSharingEnabled()) {
                        throw new NotFoundException('Link sharing is disabled');
                }
@@ -68,6 +78,8 @@ class PublicShareMiddleware extends Middleware {
                $controller->setToken($token);
 
                if (!$controller->isValidToken()) {
+                       $this->throttle($bruteforceProtectionAction, $token);
+
                        $controller->shareNotFound();
                        throw new NotFoundException();
                }
@@ -88,6 +100,7 @@ class PublicShareMiddleware extends Middleware {
                        throw new NeedAuthenticationException();
                }
 
+               $this->throttle($bruteforceProtectionAction, $token);
                throw new NotFoundException();
        }
 
@@ -128,4 +141,10 @@ class PublicShareMiddleware extends Middleware {
 
                return true;
        }
+
+       private function throttle($bruteforceProtectionAction, $token): void {
+               $ip = $this->request->getRemoteAddress();
+               $this->throttler->sleepDelay($ip, $bruteforceProtectionAction);
+               $this->throttler->registerAttempt($bruteforceProtectionAction, $ip, ['token' => $token]);
+       }
 }

diff --git a/tests/lib/AppFramework/Middleware/PublicShare/PublicShareMiddlewareTest.php b/tests/lib/AppFramework/Middleware/PublicShare/PublicShareMiddlewareTest.php
index 7e7140971e441cd652df40b2f1c0a44ec5690040..2e1422f6171aefa2e7d69a979e35a51e429ce3de 100644 (file)
--- a/tests/lib/AppFramework/Middleware/PublicShare/PublicShareMiddlewareTest.php
+++ b/tests/lib/AppFramework/Middleware/PublicShare/PublicShareMiddlewareTest.php
@@ -25,6 +25,7 @@ namespace Test\AppFramework\Middleware\PublicShare;
 
 use OC\AppFramework\Middleware\PublicShare\Exceptions\NeedAuthenticationException;
 use OC\AppFramework\Middleware\PublicShare\PublicShareMiddleware;
+use OC\Security\Bruteforce\Throttler;
 use OCP\AppFramework\AuthPublicShareController;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http\NotFoundResponse;
@@ -44,6 +45,8 @@ class PublicShareMiddlewareTest extends \Test\TestCase {
        private $session;
        /** @var IConfig|\PHPUnit\Framework\MockObject\MockObject */
        private $config;
+       /** @var Throttler|\PHPUnit\Framework\MockObject\MockObject */
+       private $throttler;
 
        /** @var PublicShareMiddleware */
        private $middleware;
@@ -55,11 +58,13 @@ class PublicShareMiddlewareTest extends \Test\TestCase {
                $this->request = $this->createMock(IRequest::class);
                $this->session = $this->createMock(ISession::class);
                $this->config = $this->createMock(IConfig::class);
+               $this->throttler = $this->createMock(Throttler::class);
 
                $this->middleware = new PublicShareMiddleware(
                        $this->request,
                        $this->session,
-                       $this->config
+                       $this->config,
+                       $this->throttler
                );
        }