diff options
author | Roeland Jago Douma <roeland@famdouma.nl> | 2018-04-23 22:43:08 +0200 |
---|---|---|
committer | Roeland Jago Douma <roeland@famdouma.nl> | 2018-04-26 10:35:37 +0200 |
commit | 392337fa13028be2ef03f0f9d09ac224d8aa6818 (patch) | |
tree | 46ac4b0b292dcb15de8a3aae2fb9f56f973a3062 | |
parent | b6c58e75b754fc7a5f6873b51934be16a8365d8f (diff) | |
download | nextcloud-server-392337fa13028be2ef03f0f9d09ac224d8aa6818.tar.gz nextcloud-server-392337fa13028be2ef03f0f9d09ac224d8aa6818.zip |
Throttle requests to unknown tokens
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
-rw-r--r-- | apps/dav/appinfo/v2/direct.php | 5 | ||||
-rw-r--r-- | apps/dav/lib/Direct/DirectHome.php | 18 | ||||
-rw-r--r-- | apps/dav/lib/Direct/ServerFactory.php | 10 |
3 files changed, 28 insertions, 5 deletions
diff --git a/apps/dav/appinfo/v2/direct.php b/apps/dav/appinfo/v2/direct.php index 633d69a3c3d..3762a628303 100644 --- a/apps/dav/appinfo/v2/direct.php +++ b/apps/dav/appinfo/v2/direct.php @@ -38,7 +38,10 @@ $server = $serverFactory->createServer( $baseuri, $requestUri, \OC::$server->getRootFolder(), - \OC::$server->query(\OCA\DAV\Db\DirectMapper::class) + \OC::$server->query(\OCA\DAV\Db\DirectMapper::class), + \OC::$server->query(\OCP\AppFramework\Utility\ITimeFactory::class), + \OC::$server->getBruteForceThrottler(), + \OC::$server->getRequest() ); $server->exec(); diff --git a/apps/dav/lib/Direct/DirectHome.php b/apps/dav/lib/Direct/DirectHome.php index f56815746a5..393adaddc97 100644 --- a/apps/dav/lib/Direct/DirectHome.php +++ b/apps/dav/lib/Direct/DirectHome.php @@ -24,10 +24,12 @@ declare(strict_types=1); namespace OCA\DAV\Direct; +use OC\Security\Bruteforce\Throttler; use OCA\DAV\Db\DirectMapper; use OCP\AppFramework\Db\DoesNotExistException; use OCP\AppFramework\Utility\ITimeFactory; use OCP\Files\IRootFolder; +use OCP\IRequest; use Sabre\DAV\Exception\Forbidden; use Sabre\DAV\Exception\MethodNotAllowed; use Sabre\DAV\Exception\NotFound; @@ -44,12 +46,22 @@ class DirectHome implements ICollection { /** @var ITimeFactory */ private $timeFactory; + /** @var Throttler */ + private $throttler; + + /** @var IRequest */ + private $request; + public function __construct(IRootFolder $rootFolder, DirectMapper $mapper, - ITimeFactory $timeFactory) { + ITimeFactory $timeFactory, + Throttler $throttler, + IRequest $request) { $this->rootFolder = $rootFolder; $this->mapper = $mapper; $this->timeFactory = $timeFactory; + $this->throttler = $throttler; + $this->request = $request; } public function createFile($name, $data = null) { @@ -71,7 +83,9 @@ class DirectHome implements ICollection { return new DirectFile($direct, $this->rootFolder); } catch (DoesNotExistException $e) { - //TODO: throttle the ip to avoid brute forcing + // Since the token space is so huge only throttle on non exsisting token + $this->throttler->registerAttempt('directlink', $this->request->getRemoteAddress()); + $this->throttler->sleepDelay($this->request->getRemoteAddress(), 'directlink'); throw new NotFound(); } diff --git a/apps/dav/lib/Direct/ServerFactory.php b/apps/dav/lib/Direct/ServerFactory.php index 9869e69710a..618f6889fd0 100644 --- a/apps/dav/lib/Direct/ServerFactory.php +++ b/apps/dav/lib/Direct/ServerFactory.php @@ -24,9 +24,12 @@ declare(strict_types=1); namespace OCA\DAV\Direct; +use OC\Security\Bruteforce\Throttler; use OCA\DAV\Db\DirectMapper; +use OCP\AppFramework\Utility\ITimeFactory; use OCP\Files\IRootFolder; use OCP\IConfig; +use OCP\IRequest; class ServerFactory { /** @var IConfig */ @@ -39,8 +42,11 @@ class ServerFactory { public function createServer(string $baseURI, string $requestURI, IRootFolder $rootFolder, - DirectMapper $mapper) { - $home = new DirectHome($rootFolder, $mapper); + DirectMapper $mapper, + ITimeFactory $timeFactory, + Throttler $throttler, + IRequest $request): Server { + $home = new DirectHome($rootFolder, $mapper, $timeFactory, $throttler, $request); $server = new Server($home); $server->httpRequest->setUrl($requestURI); |