diff options
| author | Bjoern Schiessle <bjoern@schiessle.org> | 2017-01-17 11:51:10 +0100 |
|---|---|---|
| committer | Bjoern Schiessle <bjoern@schiessle.org> | 2017-01-18 15:25:15 +0100 |
| commit | df296249d6ca4c9980bb23acdb6d9353d0d69996 (patch) | |
| tree | 86f019d215dd92604164dd5da44ce1e9d7b4e41b /lib/private/AppFramework/Middleware/Security | |
| parent | 4bbd52b3f9aa07ebb170ed2ea4dbc67e2af79448 (diff) | |
| download | nextcloud-server-df296249d6ca4c9980bb23acdb6d9353d0d69996.tar.gz nextcloud-server-df296249d6ca4c9980bb23acdb6d9353d0d69996.zip | |
introduce brute force protection for api calls
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
Diffstat (limited to 'lib/private/AppFramework/Middleware/Security')
| -rw-r--r-- | lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php index d60d5749d57..dcfab3544b8 100644 --- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php @@ -36,6 +36,7 @@ use OC\AppFramework\Middleware\Security\Exceptions\NotConfirmedException; use OC\AppFramework\Middleware\Security\Exceptions\NotLoggedInException; use OC\AppFramework\Middleware\Security\Exceptions\StrictCookieMissingException; use OC\AppFramework\Utility\ControllerMethodReflector; +use OC\Security\Bruteforce\Throttler; use OC\Security\CSP\ContentSecurityPolicyManager; use OC\Security\CSP\ContentSecurityPolicyNonceManager; use OC\Security\CSRF\CsrfTokenManager; @@ -87,6 +88,8 @@ class SecurityMiddleware extends Middleware { private $csrfTokenManager; /** @var ContentSecurityPolicyNonceManager */ private $cspNonceManager; + /** @var Throttler */ + private $throttler; /** * @param IRequest $request @@ -101,6 +104,7 @@ class SecurityMiddleware extends Middleware { * @param ContentSecurityPolicyManager $contentSecurityPolicyManager * @param CSRFTokenManager $csrfTokenManager * @param ContentSecurityPolicyNonceManager $cspNonceManager + * @param Throttler $throttler */ public function __construct(IRequest $request, ControllerMethodReflector $reflector, @@ -113,7 +117,8 @@ class SecurityMiddleware extends Middleware { $isAdminUser, ContentSecurityPolicyManager $contentSecurityPolicyManager, CsrfTokenManager $csrfTokenManager, - ContentSecurityPolicyNonceManager $cspNonceManager) { + ContentSecurityPolicyNonceManager $cspNonceManager, + Throttler $throttler) { $this->navigationManager = $navigationManager; $this->request = $request; $this->reflector = $reflector; @@ -126,6 +131,7 @@ class SecurityMiddleware extends Middleware { $this->contentSecurityPolicyManager = $contentSecurityPolicyManager; $this->csrfTokenManager = $csrfTokenManager; $this->cspNonceManager = $cspNonceManager; + $this->throttler = $throttler; } @@ -185,6 +191,12 @@ class SecurityMiddleware extends Middleware { } } + if($this->reflector->hasAnnotation('BruteForceProtection')) { + $action = $this->request->getRequestUri(); + $this->throttler->sleepDelay($this->request->getRemoteAddress(), $action); + $this->throttler->registerAttempt($action, $this->request->getRemoteAddress()); + } + /** * FIXME: Use DI once available * Checks if app is enabled (also includes a check whether user is allowed to access the resource) |