Browse Source
fix: add check for app_api_system session flag to bypass rate limit
Signed-off-by: Florian Klinger <florian.klinger@nextcloud.com> Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com>tags/v28.0.5rc1
Florian Klinger
3 months ago
3 changed files with 14 additions and 2 deletions
+ 2
- 1
lib/private/AppFramework/DependencyInjection/DIContainer.php
View File
| $c->get(IRequest::class), | $c->get(IRequest::class), | ||||
| $c->get(IUserSession::class), | $c->get(IUserSession::class), | ||||
| $c->get(IControllerMethodReflector::class), | $c->get(IControllerMethodReflector::class), | ||||
| $c->get(OC\Security\RateLimiting\Limiter::class) | |||||
| $c->get(OC\Security\RateLimiting\Limiter::class), | |||||
| $c->get(ISession::class) | |||||
| ) | ) | ||||
| ); | ); | ||||
| $dispatcher->registerMiddleware( | $dispatcher->registerMiddleware( |
+ 7
- 0
lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php
View File
| use OCP\AppFramework\Http\TemplateResponse; | use OCP\AppFramework\Http\TemplateResponse; | ||||
| use OCP\AppFramework\Middleware; | use OCP\AppFramework\Middleware; | ||||
| use OCP\IRequest; | use OCP\IRequest; | ||||
| use OCP\ISession; | |||||
| use OCP\IUserSession; | use OCP\IUserSession; | ||||
| use ReflectionMethod; | use ReflectionMethod; | ||||
| protected IUserSession $userSession, | protected IUserSession $userSession, | ||||
| protected ControllerMethodReflector $reflector, | protected ControllerMethodReflector $reflector, | ||||
| protected Limiter $limiter, | protected Limiter $limiter, | ||||
| protected ISession $session, | |||||
| ) { | ) { | ||||
| } | } | ||||
| parent::beforeController($controller, $methodName); | parent::beforeController($controller, $methodName); | ||||
| $rateLimitIdentifier = get_class($controller) . '::' . $methodName; | $rateLimitIdentifier = get_class($controller) . '::' . $methodName; | ||||
| if ($this->session->exists('app_api_system')) { | |||||
| // Bypass rate limiting for app_api | |||||
| return; | |||||
| } | |||||
| if ($this->userSession->isLoggedIn()) { | if ($this->userSession->isLoggedIn()) { | ||||
| $rateLimit = $this->readLimitFromAnnotationOrAttribute($controller, $methodName, 'UserRateThrottle', UserRateLimit::class); | $rateLimit = $this->readLimitFromAnnotationOrAttribute($controller, $methodName, 'UserRateThrottle', UserRateLimit::class); | ||||
+ 5
- 1
tests/lib/AppFramework/Middleware/Security/RateLimitingMiddlewareTest.php
View File
| use OCP\AppFramework\Http\DataResponse; | use OCP\AppFramework\Http\DataResponse; | ||||
| use OCP\AppFramework\Http\TemplateResponse; | use OCP\AppFramework\Http\TemplateResponse; | ||||
| use OCP\IRequest; | use OCP\IRequest; | ||||
| use OCP\ISession; | |||||
| use OCP\IUser; | use OCP\IUser; | ||||
| use OCP\IUserSession; | use OCP\IUserSession; | ||||
| use PHPUnit\Framework\MockObject\MockObject; | use PHPUnit\Framework\MockObject\MockObject; | ||||
| private IUserSession|MockObject $userSession; | private IUserSession|MockObject $userSession; | ||||
| private ControllerMethodReflector $reflector; | private ControllerMethodReflector $reflector; | ||||
| private Limiter|MockObject $limiter; | private Limiter|MockObject $limiter; | ||||
| private ISession|MockObject $session; | |||||
| private RateLimitingMiddleware $rateLimitingMiddleware; | private RateLimitingMiddleware $rateLimitingMiddleware; | ||||
| protected function setUp(): void { | protected function setUp(): void { | ||||
| $this->userSession = $this->createMock(IUserSession::class); | $this->userSession = $this->createMock(IUserSession::class); | ||||
| $this->reflector = new ControllerMethodReflector(); | $this->reflector = new ControllerMethodReflector(); | ||||
| $this->limiter = $this->createMock(Limiter::class); | $this->limiter = $this->createMock(Limiter::class); | ||||
| $this->session = $this->createMock(ISession::class); | |||||
| $this->rateLimitingMiddleware = new RateLimitingMiddleware( | $this->rateLimitingMiddleware = new RateLimitingMiddleware( | ||||
| $this->request, | $this->request, | ||||
| $this->userSession, | $this->userSession, | ||||
| $this->reflector, | $this->reflector, | ||||
| $this->limiter | |||||
| $this->limiter, | |||||
| $this->session | |||||
| ); | ); | ||||
| } | } | ||||
Loading…