diff options
author | John Molakvoæ <skjnldsv@users.noreply.github.com> | 2024-02-22 16:45:05 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-02-22 16:45:05 +0100 |
commit | fb0a2d54fbbed64277db0479ff2b9c64464f3baf (patch) | |
tree | 9223927ce2d654f4bfff4d218665297351a7f1d6 /apps/dav/lib | |
parent | 245a439d47dd458ba42bdcfb2e7b03581468bb3f (diff) | |
parent | 844a1b47f51d6104a106deb145ad0975f57c5aae (diff) | |
download | nextcloud-server-fb0a2d54fbbed64277db0479ff2b9c64464f3baf.tar.gz nextcloud-server-fb0a2d54fbbed64277db0479ff2b9c64464f3baf.zip |
Merge pull request #43752 from nextcloud/backport/43732/stable27
Diffstat (limited to 'apps/dav/lib')
-rw-r--r-- | apps/dav/lib/CalDAV/CalDavBackend.php | 21 | ||||
-rw-r--r-- | apps/dav/lib/CalDAV/Security/RateLimitingPlugin.php | 111 | ||||
-rw-r--r-- | apps/dav/lib/Server.php | 3 |
3 files changed, 135 insertions, 0 deletions
diff --git a/apps/dav/lib/CalDAV/CalDavBackend.php b/apps/dav/lib/CalDAV/CalDavBackend.php index 81d51a044d4..16054b053db 100644 --- a/apps/dav/lib/CalDAV/CalDavBackend.php +++ b/apps/dav/lib/CalDAV/CalDavBackend.php @@ -272,6 +272,27 @@ class CalDavBackend extends AbstractBackend implements SyncSupport, Subscription } /** + * Return the number of subscriptions for a principal + */ + public function getSubscriptionsForUserCount(string $principalUri): int { + $principalUri = $this->convertPrincipal($principalUri, true); + $query = $this->db->getQueryBuilder(); + $query->select($query->func()->count('*')) + ->from('calendarsubscriptions'); + + if ($principalUri === '') { + $query->where($query->expr()->emptyString('principaluri')); + } else { + $query->where($query->expr()->eq('principaluri', $query->createNamedParameter($principalUri))); + } + + $result = $query->executeQuery(); + $column = (int)$result->fetchOne(); + $result->closeCursor(); + return $column; + } + + /** * @return array{id: int, deleted_at: int}[] */ public function getDeletedCalendars(int $deletedBefore): array { diff --git a/apps/dav/lib/CalDAV/Security/RateLimitingPlugin.php b/apps/dav/lib/CalDAV/Security/RateLimitingPlugin.php new file mode 100644 index 00000000000..e2480686b00 --- /dev/null +++ b/apps/dav/lib/CalDAV/Security/RateLimitingPlugin.php @@ -0,0 +1,111 @@ +<?php + +declare(strict_types=1); + +/* + * @copyright 2023 Christoph Wurst <christoph@winzerhof-wurst.at> + * + * @author 2023 Christoph Wurst <christoph@winzerhof-wurst.at> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +namespace OCA\DAV\CalDAV\Security; + +use OC\Security\RateLimiting\Exception\RateLimitExceededException; +use OC\Security\RateLimiting\Limiter; +use OCA\DAV\CalDAV\CalDavBackend; +use OCA\DAV\Connector\Sabre\Exception\TooManyRequests; +use OCP\IConfig; +use OCP\IUserManager; +use Psr\Log\LoggerInterface; +use Sabre\DAV; +use Sabre\DAV\Exception\Forbidden; +use Sabre\DAV\ServerPlugin; +use function count; +use function explode; + +class RateLimitingPlugin extends ServerPlugin { + + private Limiter $limiter; + private IUserManager $userManager; + private CalDavBackend $calDavBackend; + private IConfig $config; + private LoggerInterface $logger; + private ?string $userId; + + public function __construct(Limiter $limiter, + IUserManager $userManager, + CalDavBackend $calDavBackend, + LoggerInterface $logger, + IConfig $config, + ?string $userId) { + $this->limiter = $limiter; + $this->userManager = $userManager; + $this->calDavBackend = $calDavBackend; + $this->config = $config; + $this->logger = $logger; + $this->userId = $userId; + } + + public function initialize(DAV\Server $server): void { + $server->on('beforeBind', [$this, 'beforeBind'], 1); + } + + public function beforeBind(string $path): void { + if ($this->userId === null) { + // We only care about authenticated users here + return; + } + $user = $this->userManager->get($this->userId); + if ($user === null) { + // We only care about authenticated users here + return; + } + + $pathParts = explode('/', $path); + if (count($pathParts) === 3 && $pathParts[0] === 'calendars') { + // Path looks like calendars/username/calendarname so a new calendar or subscription is created + try { + $this->limiter->registerUserRequest( + 'caldav-create-calendar', + (int) $this->config->getAppValue('dav', 'rateLimitCalendarCreation', '10'), + (int) $this->config->getAppValue('dav', 'rateLimitPeriodCalendarCreation', '3600'), + $user + ); + } catch (RateLimitExceededException $e) { + throw new TooManyRequests('Too many calendars created', 0, $e); + } + + $calendarLimit = (int) $this->config->getAppValue('dav', 'maximumCalendarsSubscriptions', '30'); + if ($calendarLimit === -1) { + return; + } + $numCalendars = $this->calDavBackend->getCalendarsForUserCount('principals/users/' . $user->getUID()); + $numSubscriptions = $this->calDavBackend->getSubscriptionsForUserCount('principals/users/' . $user->getUID()); + + if (($numCalendars + $numSubscriptions) >= $calendarLimit) { + $this->logger->warning('Maximum number of calendars/subscriptions reached', [ + 'calendars' => $numCalendars, + 'subscription' => $numSubscriptions, + 'limit' => $calendarLimit, + ]); + throw new Forbidden('Calendar limit reached', 0); + } + } + } + +} diff --git a/apps/dav/lib/Server.php b/apps/dav/lib/Server.php index 809b804796d..9eeaf52229d 100644 --- a/apps/dav/lib/Server.php +++ b/apps/dav/lib/Server.php @@ -38,6 +38,7 @@ namespace OCA\DAV; use OCA\DAV\AppInfo\PluginManager; use OCA\DAV\BulkUpload\BulkUploadPlugin; use OCA\DAV\CalDAV\BirthdayService; +use OCA\DAV\CalDAV\Security\RateLimitingPlugin; use OCA\DAV\CardDAV\HasPhotoPlugin; use OCA\DAV\CardDAV\ImageExportPlugin; use OCA\DAV\CardDAV\MultiGetExportPlugin; @@ -192,6 +193,8 @@ class Server { \OC::$server->getConfig(), \OC::$server->getURLGenerator() )); + + $this->server->addPlugin(\OCP\Server::get(RateLimitingPlugin::class)); } // addressbook plugins |