aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoeland Jago Douma <roeland@famdouma.nl>2018-04-23 22:43:08 +0200
committerRoeland Jago Douma <roeland@famdouma.nl>2018-04-26 10:35:37 +0200
commit392337fa13028be2ef03f0f9d09ac224d8aa6818 (patch)
tree46ac4b0b292dcb15de8a3aae2fb9f56f973a3062
parentb6c58e75b754fc7a5f6873b51934be16a8365d8f (diff)
downloadnextcloud-server-392337fa13028be2ef03f0f9d09ac224d8aa6818.tar.gz
nextcloud-server-392337fa13028be2ef03f0f9d09ac224d8aa6818.zip
Throttle requests to unknown tokens
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
-rw-r--r--apps/dav/appinfo/v2/direct.php5
-rw-r--r--apps/dav/lib/Direct/DirectHome.php18
-rw-r--r--apps/dav/lib/Direct/ServerFactory.php10
3 files changed, 28 insertions, 5 deletions
diff --git a/apps/dav/appinfo/v2/direct.php b/apps/dav/appinfo/v2/direct.php
index 633d69a3c3d..3762a628303 100644
--- a/apps/dav/appinfo/v2/direct.php
+++ b/apps/dav/appinfo/v2/direct.php
@@ -38,7 +38,10 @@ $server = $serverFactory->createServer(
$baseuri,
$requestUri,
\OC::$server->getRootFolder(),
- \OC::$server->query(\OCA\DAV\Db\DirectMapper::class)
+ \OC::$server->query(\OCA\DAV\Db\DirectMapper::class),
+ \OC::$server->query(\OCP\AppFramework\Utility\ITimeFactory::class),
+ \OC::$server->getBruteForceThrottler(),
+ \OC::$server->getRequest()
);
$server->exec();
diff --git a/apps/dav/lib/Direct/DirectHome.php b/apps/dav/lib/Direct/DirectHome.php
index f56815746a5..393adaddc97 100644
--- a/apps/dav/lib/Direct/DirectHome.php
+++ b/apps/dav/lib/Direct/DirectHome.php
@@ -24,10 +24,12 @@ declare(strict_types=1);
namespace OCA\DAV\Direct;
+use OC\Security\Bruteforce\Throttler;
use OCA\DAV\Db\DirectMapper;
use OCP\AppFramework\Db\DoesNotExistException;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\Files\IRootFolder;
+use OCP\IRequest;
use Sabre\DAV\Exception\Forbidden;
use Sabre\DAV\Exception\MethodNotAllowed;
use Sabre\DAV\Exception\NotFound;
@@ -44,12 +46,22 @@ class DirectHome implements ICollection {
/** @var ITimeFactory */
private $timeFactory;
+ /** @var Throttler */
+ private $throttler;
+
+ /** @var IRequest */
+ private $request;
+
public function __construct(IRootFolder $rootFolder,
DirectMapper $mapper,
- ITimeFactory $timeFactory) {
+ ITimeFactory $timeFactory,
+ Throttler $throttler,
+ IRequest $request) {
$this->rootFolder = $rootFolder;
$this->mapper = $mapper;
$this->timeFactory = $timeFactory;
+ $this->throttler = $throttler;
+ $this->request = $request;
}
public function createFile($name, $data = null) {
@@ -71,7 +83,9 @@ class DirectHome implements ICollection {
return new DirectFile($direct, $this->rootFolder);
} catch (DoesNotExistException $e) {
- //TODO: throttle the ip to avoid brute forcing
+ // Since the token space is so huge only throttle on non exsisting token
+ $this->throttler->registerAttempt('directlink', $this->request->getRemoteAddress());
+ $this->throttler->sleepDelay($this->request->getRemoteAddress(), 'directlink');
throw new NotFound();
}
diff --git a/apps/dav/lib/Direct/ServerFactory.php b/apps/dav/lib/Direct/ServerFactory.php
index 9869e69710a..618f6889fd0 100644
--- a/apps/dav/lib/Direct/ServerFactory.php
+++ b/apps/dav/lib/Direct/ServerFactory.php
@@ -24,9 +24,12 @@ declare(strict_types=1);
namespace OCA\DAV\Direct;
+use OC\Security\Bruteforce\Throttler;
use OCA\DAV\Db\DirectMapper;
+use OCP\AppFramework\Utility\ITimeFactory;
use OCP\Files\IRootFolder;
use OCP\IConfig;
+use OCP\IRequest;
class ServerFactory {
/** @var IConfig */
@@ -39,8 +42,11 @@ class ServerFactory {
public function createServer(string $baseURI,
string $requestURI,
IRootFolder $rootFolder,
- DirectMapper $mapper) {
- $home = new DirectHome($rootFolder, $mapper);
+ DirectMapper $mapper,
+ ITimeFactory $timeFactory,
+ Throttler $throttler,
+ IRequest $request): Server {
+ $home = new DirectHome($rootFolder, $mapper, $timeFactory, $throttler, $request);
$server = new Server($home);
$server->httpRequest->setUrl($requestURI);