diff options
| author | Joas Schilling <coding@schilljs.com> | 2024-02-02 16:38:10 +0100 |
|---|---|---|
| committer | Joas Schilling <coding@schilljs.com> | 2024-02-21 09:18:36 +0100 |
| commit | 2dfaf7614d764734b4526eaef1c11ae3da385e34 (patch) | |
| tree | 1c305af2fe171122133b57afba16ad019631994d /apps/federation/lib | |
| parent | 07dbd3c28cc0cc59af2b80cc68ee7c128bc687e3 (diff) | |
| download | nextcloud-server-2dfaf7614d764734b4526eaef1c11ae3da385e34.tar.gz nextcloud-server-2dfaf7614d764734b4526eaef1c11ae3da385e34.zip | |
fix: Add bruteforce protection to federation endpoint
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'apps/federation/lib')
| -rw-r--r-- | apps/federation/lib/Controller/OCSAuthAPIController.php | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/apps/federation/lib/Controller/OCSAuthAPIController.php b/apps/federation/lib/Controller/OCSAuthAPIController.php index 82c3e20da31..63a5fbb3155 100644 --- a/apps/federation/lib/Controller/OCSAuthAPIController.php +++ b/apps/federation/lib/Controller/OCSAuthAPIController.php @@ -38,6 +38,7 @@ use OCP\AppFramework\OCSController; use OCP\AppFramework\Utility\ITimeFactory; use OCP\BackgroundJob\IJobList; use OCP\IRequest; +use OCP\Security\Bruteforce\IThrottler; use OCP\Security\ISecureRandom; use Psr\Log\LoggerInterface; @@ -56,6 +57,7 @@ class OCSAuthAPIController extends OCSController { private DbHandler $dbHandler; private LoggerInterface $logger; private ITimeFactory $timeFactory; + private IThrottler $throttler; public function __construct( string $appName, @@ -65,7 +67,8 @@ class OCSAuthAPIController extends OCSController { TrustedServers $trustedServers, DbHandler $dbHandler, LoggerInterface $logger, - ITimeFactory $timeFactory + ITimeFactory $timeFactory, + IThrottler $throttler ) { parent::__construct($appName, $request); @@ -75,6 +78,7 @@ class OCSAuthAPIController extends OCSController { $this->dbHandler = $dbHandler; $this->logger = $logger; $this->timeFactory = $timeFactory; + $this->throttler = $throttler; } /** @@ -82,6 +86,7 @@ class OCSAuthAPIController extends OCSController { * * @NoCSRFRequired * @PublicPage + * @BruteForceProtection(action=federationSharedSecret) * * @param string $url URL of the server * @param string $token Token of the server @@ -100,6 +105,7 @@ class OCSAuthAPIController extends OCSController { * * @NoCSRFRequired * @PublicPage + * @BruteForceProtection(action=federationSharedSecret) * * @param string $url URL of the server * @param string $token Token of the server @@ -117,6 +123,7 @@ class OCSAuthAPIController extends OCSController { * * @NoCSRFRequired * @PublicPage + * @BruteForceProtection(action=federationSharedSecret) * * @param string $url URL of the server * @param string $token Token of the server @@ -127,6 +134,7 @@ class OCSAuthAPIController extends OCSController { */ public function requestSharedSecret(string $url, string $token): DataResponse { if ($this->trustedServers->isTrustedServer($url) === false) { + $this->throttler->registerAttempt('federationSharedSecret', $this->request->getRemoteAddress()); $this->logger->error('remote server not trusted (' . $url . ') while requesting shared secret', ['app' => 'federation']); throw new OCSForbiddenException(); } @@ -159,6 +167,7 @@ class OCSAuthAPIController extends OCSController { * * @NoCSRFRequired * @PublicPage + * @BruteForceProtection(action=federationSharedSecret) * * @param string $url URL of the server * @param string $token Token of the server @@ -169,11 +178,13 @@ class OCSAuthAPIController extends OCSController { */ public function getSharedSecret(string $url, string $token): DataResponse { if ($this->trustedServers->isTrustedServer($url) === false) { + $this->throttler->registerAttempt('federationSharedSecret', $this->request->getRemoteAddress()); $this->logger->error('remote server not trusted (' . $url . ') while getting shared secret', ['app' => 'federation']); throw new OCSForbiddenException(); } if ($this->isValidToken($url, $token) === false) { + $this->throttler->registerAttempt('federationSharedSecret', $this->request->getRemoteAddress()); $expectedToken = $this->dbHandler->getToken($url); $this->logger->error( 'remote server (' . $url . ') didn\'t send a valid token (got "' . $token . '" but expected "'. $expectedToken . '") while getting shared secret', |