diff options
author | Morris Jobke <hey@morrisjobke.de> | 2018-01-14 21:08:45 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-01-14 21:08:45 +0100 |
commit | 2ed4bea18f207b6bb498cfa67e04652c3d5e69da (patch) | |
tree | fdaebdba1c0a24d9afdd5fb87920476471f934ae /lib/private/Security | |
parent | fcea6e1564c7189949b0b88f696e16e2979738fa (diff) | |
parent | cf0a3399970eb00621e822923f17d3d52845e0a6 (diff) | |
download | nextcloud-server-2ed4bea18f207b6bb498cfa67e04652c3d5e69da.tar.gz nextcloud-server-2ed4bea18f207b6bb498cfa67e04652c3d5e69da.zip |
Merge pull request #7852 from nextcloud/strict_ratelimiting
Make OC\Security\RateLimiting strict
Diffstat (limited to 'lib/private/Security')
4 files changed, 39 insertions, 30 deletions
diff --git a/lib/private/Security/RateLimiting/Backend/IBackend.php b/lib/private/Security/RateLimiting/Backend/IBackend.php index b20d27af42b..88c10fbbc8d 100644 --- a/lib/private/Security/RateLimiting/Backend/IBackend.php +++ b/lib/private/Security/RateLimiting/Backend/IBackend.php @@ -1,4 +1,5 @@ <?php +declare(strict_types=1); /** * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> * @@ -39,9 +40,9 @@ interface IBackend { * @param int $seconds Seconds to look back at * @return int */ - public function getAttempts($methodIdentifier, - $userIdentifier, - $seconds); + public function getAttempts(string $methodIdentifier, + string $userIdentifier, + int $seconds): int; /** * Registers an attempt @@ -50,7 +51,7 @@ interface IBackend { * @param string $userIdentifier Identifier for the user * @param int $period Period in seconds how long this attempt should be stored */ - public function registerAttempt($methodIdentifier, - $userIdentifier, - $period); + public function registerAttempt(string $methodIdentifier, + string $userIdentifier, + int $period); } diff --git a/lib/private/Security/RateLimiting/Backend/MemoryCache.php b/lib/private/Security/RateLimiting/Backend/MemoryCache.php index 700fa624ed4..a8fb7b87d10 100644 --- a/lib/private/Security/RateLimiting/Backend/MemoryCache.php +++ b/lib/private/Security/RateLimiting/Backend/MemoryCache.php @@ -1,4 +1,5 @@ <?php +declare(strict_types=1); /** * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> * @@ -54,8 +55,8 @@ class MemoryCache implements IBackend { * @param string $userIdentifier * @return string */ - private function hash($methodIdentifier, - $userIdentifier) { + private function hash(string $methodIdentifier, + string $userIdentifier): string { return hash('sha512', $methodIdentifier . $userIdentifier); } @@ -63,9 +64,14 @@ class MemoryCache implements IBackend { * @param string $identifier * @return array */ - private function getExistingAttempts($identifier) { - $cachedAttempts = json_decode($this->cache->get($identifier), true); - if(is_array($cachedAttempts)) { + private function getExistingAttempts(string $identifier): array { + $cachedAttempts = $this->cache->get($identifier); + if ($cachedAttempts === null) { + return []; + } + + $cachedAttempts = json_decode($cachedAttempts, true); + if(\is_array($cachedAttempts)) { return $cachedAttempts; } @@ -75,9 +81,9 @@ class MemoryCache implements IBackend { /** * {@inheritDoc} */ - public function getAttempts($methodIdentifier, - $userIdentifier, - $seconds) { + public function getAttempts(string $methodIdentifier, + string $userIdentifier, + int $seconds): int { $identifier = $this->hash($methodIdentifier, $userIdentifier); $existingAttempts = $this->getExistingAttempts($identifier); @@ -96,9 +102,9 @@ class MemoryCache implements IBackend { /** * {@inheritDoc} */ - public function registerAttempt($methodIdentifier, - $userIdentifier, - $period) { + public function registerAttempt(string $methodIdentifier, + string $userIdentifier, + int $period) { $identifier = $this->hash($methodIdentifier, $userIdentifier); $existingAttempts = $this->getExistingAttempts($identifier); $currentTime = $this->timeFactory->getTime(); diff --git a/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php b/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php index ffe9b534fed..ae4fa1d6c26 100644 --- a/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php +++ b/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php @@ -1,4 +1,5 @@ <?php +declare(strict_types=1); /** * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> * diff --git a/lib/private/Security/RateLimiting/Limiter.php b/lib/private/Security/RateLimiting/Limiter.php index 6a4176a0d50..5267497f86f 100644 --- a/lib/private/Security/RateLimiting/Limiter.php +++ b/lib/private/Security/RateLimiting/Limiter.php @@ -1,4 +1,5 @@ <?php +declare(strict_types=1); /** * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> * @@ -58,12 +59,12 @@ class Limiter { * @param int $limit * @throws RateLimitExceededException */ - private function register($methodIdentifier, - $userIdentifier, - $period, - $limit) { - $existingAttempts = $this->backend->getAttempts($methodIdentifier, $userIdentifier, (int)$period); - if ($existingAttempts >= (int)$limit) { + private function register(string $methodIdentifier, + string $userIdentifier, + int $period, + int $limit) { + $existingAttempts = $this->backend->getAttempts($methodIdentifier, $userIdentifier, $period); + if ($existingAttempts >= $limit) { throw new RateLimitExceededException(); } @@ -79,10 +80,10 @@ class Limiter { * @param string $ip * @throws RateLimitExceededException */ - public function registerAnonRequest($identifier, - $anonLimit, - $anonPeriod, - $ip) { + public function registerAnonRequest(string $identifier, + int $anonLimit, + int $anonPeriod, + string $ip) { $ipSubnet = (new IpAddress($ip))->getSubnet(); $anonHashIdentifier = hash('sha512', 'anon::' . $identifier . $ipSubnet); @@ -98,9 +99,9 @@ class Limiter { * @param IUser $user * @throws RateLimitExceededException */ - public function registerUserRequest($identifier, - $userLimit, - $userPeriod, + public function registerUserRequest(string $identifier, + int $userLimit, + int $userPeriod, IUser $user) { $userHashIdentifier = hash('sha512', 'user::' . $identifier . $user->getUID()); $this->register($identifier, $userHashIdentifier, $userPeriod, $userLimit); |