aboutsummaryrefslogtreecommitdiffstats
path: root/apps/dav/lib
diff options
context:
space:
mode:
authorHamza Mahjoubi <hamzamahjoubi221@gmail.com>2024-04-05 00:00:49 +0200
committerHamza Mahjoubi <hamzamahjoubi221@gmail.com>2024-05-27 14:55:07 +0200
commitfe780945e2c1f9cd57b3a5f4b3e275ef45c7cb6e (patch)
tree7ebe8598c2cefab92304d399e971eff937a312f0 /apps/dav/lib
parentd87c23242b96903d59b978a936179f5441c26773 (diff)
downloadnextcloud-server-fe780945e2c1f9cd57b3a5f4b3e275ef45c7cb6e.tar.gz
nextcloud-server-fe780945e2c1f9cd57b3a5f4b3e275ef45c7cb6e.zip
fix(dav): Rate limit address book creation
Signed-off-by: Hamza Mahjoubi <hamzamahjoubi221@gmail.com>
Diffstat (limited to 'apps/dav/lib')
-rw-r--r--apps/dav/lib/CardDAV/Security/CardDavRateLimitingPlugin.php87
-rw-r--r--apps/dav/lib/Server.php3
2 files changed, 90 insertions, 0 deletions
diff --git a/apps/dav/lib/CardDAV/Security/CardDavRateLimitingPlugin.php b/apps/dav/lib/CardDAV/Security/CardDavRateLimitingPlugin.php
new file mode 100644
index 00000000000..65f20a955fd
--- /dev/null
+++ b/apps/dav/lib/CardDAV/Security/CardDavRateLimitingPlugin.php
@@ -0,0 +1,87 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\DAV\CardDAV\Security;
+
+use OC\Security\RateLimiting\Exception\RateLimitExceededException;
+use OC\Security\RateLimiting\Limiter;
+use OCA\DAV\CardDAV\CardDavBackend;
+use OCA\DAV\Connector\Sabre\Exception\TooManyRequests;
+use OCP\IAppConfig;
+use OCP\IUserManager;
+use Psr\Log\LoggerInterface;
+use Sabre\DAV;
+use Sabre\DAV\Exception\Forbidden;
+use Sabre\DAV\ServerPlugin;
+use function count;
+use function explode;
+
+class CardDavRateLimitingPlugin extends ServerPlugin {
+ private ?string $userId;
+
+ public function __construct(private Limiter $limiter,
+ private IUserManager $userManager,
+ private CardDavBackend $cardDavBackend,
+ private LoggerInterface $logger,
+ private IAppConfig $config,
+ ?string $userId) {
+ $this->limiter = $limiter;
+ $this->userManager = $userManager;
+ $this->cardDavBackend = $cardDavBackend;
+ $this->config = $config;
+ $this->logger = $logger;
+ $this->userId = $userId;
+ }
+
+ public function initialize(DAV\Server $server): void {
+ $server->on('beforeBind', [$this, 'beforeBind'], 1);
+ }
+
+ public function beforeBind(string $path): void {
+ if ($this->userId === null) {
+ // We only care about authenticated users here
+ return;
+ }
+ $user = $this->userManager->get($this->userId);
+ if ($user === null) {
+ // We only care about authenticated users here
+ return;
+ }
+
+ $pathParts = explode('/', $path);
+ if (count($pathParts) === 4 && $pathParts[0] === 'addressbooks') {
+ // Path looks like addressbooks/users/username/addressbooksname so a new addressbook is created
+ try {
+ $this->limiter->registerUserRequest(
+ 'carddav-create-address-book',
+ $this->config->getValueInt('dav', 'rateLimitAddressBookCreation', 10),
+ $this->config->getValueInt('dav', 'rateLimitPeriodAddressBookCreation', 3600),
+ $user
+ );
+ } catch (RateLimitExceededException $e) {
+ throw new TooManyRequests('Too many addressbooks created', 0, $e);
+ }
+
+ $addressBookLimit = $this->config->getValueInt('dav', 'maximumAdressbooks', 10);
+ if ($addressBookLimit === -1) {
+ return;
+ }
+ $numAddressbooks = $this->cardDavBackend->getAddressBooksForUserCount('principals/users/' . $user->getUID());
+
+ if ($numAddressbooks >= $addressBookLimit) {
+ $this->logger->warning('Maximum number of address books reached', [
+ 'addressbooks' => $numAddressbooks,
+ 'addressBookLimit' => $addressBookLimit,
+ ]);
+ throw new Forbidden('AddressBook limit reached', 0);
+ }
+ }
+ }
+
+}
diff --git a/apps/dav/lib/Server.php b/apps/dav/lib/Server.php
index 37d04ba8190..37abcb9db47 100644
--- a/apps/dav/lib/Server.php
+++ b/apps/dav/lib/Server.php
@@ -45,6 +45,7 @@ use OCA\DAV\CardDAV\HasPhotoPlugin;
use OCA\DAV\CardDAV\ImageExportPlugin;
use OCA\DAV\CardDAV\MultiGetExportPlugin;
use OCA\DAV\CardDAV\PhotoCache;
+use OCA\DAV\CardDAV\Security\CardDavRateLimitingPlugin;
use OCA\DAV\Comments\CommentsPlugin;
use OCA\DAV\Connector\Sabre\AnonymousOptionsPlugin;
use OCA\DAV\Connector\Sabre\Auth;
@@ -208,6 +209,8 @@ class Server {
\OC::$server->getAppDataDir('dav-photocache'),
$logger)
));
+
+ $this->server->addPlugin(\OCP\Server::get(CardDavRateLimitingPlugin::class));
}
// system tags plugins