Browse Source
Throttle requests to unknown tokens
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>tags/v14.0.0beta1
Roeland Jago Douma
6 years ago
3 changed files with 28 additions and 5 deletions
+ 4
- 1
apps/dav/appinfo/v2/direct.php
View File
| @@ -38,7 +38,10 @@ $server = $serverFactory->createServer( | |||
| $baseuri, | |||
| $requestUri, | |||
| \OC::$server->getRootFolder(), | |||
| \OC::$server->query(\OCA\DAV\Db\DirectMapper::class) | |||
| \OC::$server->query(\OCA\DAV\Db\DirectMapper::class), | |||
| \OC::$server->query(\OCP\AppFramework\Utility\ITimeFactory::class), | |||
| \OC::$server->getBruteForceThrottler(), | |||
| \OC::$server->getRequest() | |||
| ); | |||
| $server->exec(); | |||
+ 16
- 2
apps/dav/lib/Direct/DirectHome.php
View File
| @@ -24,10 +24,12 @@ declare(strict_types=1); | |||
| namespace OCA\DAV\Direct; | |||
| use OC\Security\Bruteforce\Throttler; | |||
| use OCA\DAV\Db\DirectMapper; | |||
| use OCP\AppFramework\Db\DoesNotExistException; | |||
| use OCP\AppFramework\Utility\ITimeFactory; | |||
| use OCP\Files\IRootFolder; | |||
| use OCP\IRequest; | |||
| use Sabre\DAV\Exception\Forbidden; | |||
| use Sabre\DAV\Exception\MethodNotAllowed; | |||
| use Sabre\DAV\Exception\NotFound; | |||
| @@ -44,12 +46,22 @@ class DirectHome implements ICollection { | |||
| /** @var ITimeFactory */ | |||
| private $timeFactory; | |||
| /** @var Throttler */ | |||
| private $throttler; | |||
| /** @var IRequest */ | |||
| private $request; | |||
| public function __construct(IRootFolder $rootFolder, | |||
| DirectMapper $mapper, | |||
| ITimeFactory $timeFactory) { | |||
| ITimeFactory $timeFactory, | |||
| Throttler $throttler, | |||
| IRequest $request) { | |||
| $this->rootFolder = $rootFolder; | |||
| $this->mapper = $mapper; | |||
| $this->timeFactory = $timeFactory; | |||
| $this->throttler = $throttler; | |||
| $this->request = $request; | |||
| } | |||
| public function createFile($name, $data = null) { | |||
| @@ -71,7 +83,9 @@ class DirectHome implements ICollection { | |||
| return new DirectFile($direct, $this->rootFolder); | |||
| } catch (DoesNotExistException $e) { | |||
| //TODO: throttle the ip to avoid brute forcing | |||
| // Since the token space is so huge only throttle on non exsisting token | |||
| $this->throttler->registerAttempt('directlink', $this->request->getRemoteAddress()); | |||
| $this->throttler->sleepDelay($this->request->getRemoteAddress(), 'directlink'); | |||
| throw new NotFound(); | |||
| } | |||
+ 8
- 2
apps/dav/lib/Direct/ServerFactory.php
View File
| @@ -24,9 +24,12 @@ declare(strict_types=1); | |||
| namespace OCA\DAV\Direct; | |||
| use OC\Security\Bruteforce\Throttler; | |||
| use OCA\DAV\Db\DirectMapper; | |||
| use OCP\AppFramework\Utility\ITimeFactory; | |||
| use OCP\Files\IRootFolder; | |||
| use OCP\IConfig; | |||
| use OCP\IRequest; | |||
| class ServerFactory { | |||
| /** @var IConfig */ | |||
| @@ -39,8 +42,11 @@ class ServerFactory { | |||
| public function createServer(string $baseURI, | |||
| string $requestURI, | |||
| IRootFolder $rootFolder, | |||
| DirectMapper $mapper) { | |||
| $home = new DirectHome($rootFolder, $mapper); | |||
| DirectMapper $mapper, | |||
| ITimeFactory $timeFactory, | |||
| Throttler $throttler, | |||
| IRequest $request): Server { | |||
| $home = new DirectHome($rootFolder, $mapper, $timeFactory, $throttler, $request); | |||
| $server = new Server($home); | |||
| $server->httpRequest->setUrl($requestURI); | |||
Loading…