aboutsummaryrefslogtreecommitdiffstats
path: root/lib/private/Security
diff options
context:
space:
mode:
authorMorris Jobke <hey@morrisjobke.de>2018-01-14 21:08:45 +0100
committerGitHub <noreply@github.com>2018-01-14 21:08:45 +0100
commit2ed4bea18f207b6bb498cfa67e04652c3d5e69da (patch)
treefdaebdba1c0a24d9afdd5fb87920476471f934ae /lib/private/Security
parentfcea6e1564c7189949b0b88f696e16e2979738fa (diff)
parentcf0a3399970eb00621e822923f17d3d52845e0a6 (diff)
downloadnextcloud-server-2ed4bea18f207b6bb498cfa67e04652c3d5e69da.tar.gz
nextcloud-server-2ed4bea18f207b6bb498cfa67e04652c3d5e69da.zip
Merge pull request #7852 from nextcloud/strict_ratelimiting
Make OC\Security\RateLimiting strict
Diffstat (limited to 'lib/private/Security')
-rw-r--r--lib/private/Security/RateLimiting/Backend/IBackend.php13
-rw-r--r--lib/private/Security/RateLimiting/Backend/MemoryCache.php28
-rw-r--r--lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php1
-rw-r--r--lib/private/Security/RateLimiting/Limiter.php27
4 files changed, 39 insertions, 30 deletions
diff --git a/lib/private/Security/RateLimiting/Backend/IBackend.php b/lib/private/Security/RateLimiting/Backend/IBackend.php
index b20d27af42b..88c10fbbc8d 100644
--- a/lib/private/Security/RateLimiting/Backend/IBackend.php
+++ b/lib/private/Security/RateLimiting/Backend/IBackend.php
@@ -1,4 +1,5 @@
<?php
+declare(strict_types=1);
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
@@ -39,9 +40,9 @@ interface IBackend {
* @param int $seconds Seconds to look back at
* @return int
*/
- public function getAttempts($methodIdentifier,
- $userIdentifier,
- $seconds);
+ public function getAttempts(string $methodIdentifier,
+ string $userIdentifier,
+ int $seconds): int;
/**
* Registers an attempt
@@ -50,7 +51,7 @@ interface IBackend {
* @param string $userIdentifier Identifier for the user
* @param int $period Period in seconds how long this attempt should be stored
*/
- public function registerAttempt($methodIdentifier,
- $userIdentifier,
- $period);
+ public function registerAttempt(string $methodIdentifier,
+ string $userIdentifier,
+ int $period);
}
diff --git a/lib/private/Security/RateLimiting/Backend/MemoryCache.php b/lib/private/Security/RateLimiting/Backend/MemoryCache.php
index 700fa624ed4..a8fb7b87d10 100644
--- a/lib/private/Security/RateLimiting/Backend/MemoryCache.php
+++ b/lib/private/Security/RateLimiting/Backend/MemoryCache.php
@@ -1,4 +1,5 @@
<?php
+declare(strict_types=1);
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
@@ -54,8 +55,8 @@ class MemoryCache implements IBackend {
* @param string $userIdentifier
* @return string
*/
- private function hash($methodIdentifier,
- $userIdentifier) {
+ private function hash(string $methodIdentifier,
+ string $userIdentifier): string {
return hash('sha512', $methodIdentifier . $userIdentifier);
}
@@ -63,9 +64,14 @@ class MemoryCache implements IBackend {
* @param string $identifier
* @return array
*/
- private function getExistingAttempts($identifier) {
- $cachedAttempts = json_decode($this->cache->get($identifier), true);
- if(is_array($cachedAttempts)) {
+ private function getExistingAttempts(string $identifier): array {
+ $cachedAttempts = $this->cache->get($identifier);
+ if ($cachedAttempts === null) {
+ return [];
+ }
+
+ $cachedAttempts = json_decode($cachedAttempts, true);
+ if(\is_array($cachedAttempts)) {
return $cachedAttempts;
}
@@ -75,9 +81,9 @@ class MemoryCache implements IBackend {
/**
* {@inheritDoc}
*/
- public function getAttempts($methodIdentifier,
- $userIdentifier,
- $seconds) {
+ public function getAttempts(string $methodIdentifier,
+ string $userIdentifier,
+ int $seconds): int {
$identifier = $this->hash($methodIdentifier, $userIdentifier);
$existingAttempts = $this->getExistingAttempts($identifier);
@@ -96,9 +102,9 @@ class MemoryCache implements IBackend {
/**
* {@inheritDoc}
*/
- public function registerAttempt($methodIdentifier,
- $userIdentifier,
- $period) {
+ public function registerAttempt(string $methodIdentifier,
+ string $userIdentifier,
+ int $period) {
$identifier = $this->hash($methodIdentifier, $userIdentifier);
$existingAttempts = $this->getExistingAttempts($identifier);
$currentTime = $this->timeFactory->getTime();
diff --git a/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php b/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php
index ffe9b534fed..ae4fa1d6c26 100644
--- a/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php
+++ b/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php
@@ -1,4 +1,5 @@
<?php
+declare(strict_types=1);
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
diff --git a/lib/private/Security/RateLimiting/Limiter.php b/lib/private/Security/RateLimiting/Limiter.php
index 6a4176a0d50..5267497f86f 100644
--- a/lib/private/Security/RateLimiting/Limiter.php
+++ b/lib/private/Security/RateLimiting/Limiter.php
@@ -1,4 +1,5 @@
<?php
+declare(strict_types=1);
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
@@ -58,12 +59,12 @@ class Limiter {
* @param int $limit
* @throws RateLimitExceededException
*/
- private function register($methodIdentifier,
- $userIdentifier,
- $period,
- $limit) {
- $existingAttempts = $this->backend->getAttempts($methodIdentifier, $userIdentifier, (int)$period);
- if ($existingAttempts >= (int)$limit) {
+ private function register(string $methodIdentifier,
+ string $userIdentifier,
+ int $period,
+ int $limit) {
+ $existingAttempts = $this->backend->getAttempts($methodIdentifier, $userIdentifier, $period);
+ if ($existingAttempts >= $limit) {
throw new RateLimitExceededException();
}
@@ -79,10 +80,10 @@ class Limiter {
* @param string $ip
* @throws RateLimitExceededException
*/
- public function registerAnonRequest($identifier,
- $anonLimit,
- $anonPeriod,
- $ip) {
+ public function registerAnonRequest(string $identifier,
+ int $anonLimit,
+ int $anonPeriod,
+ string $ip) {
$ipSubnet = (new IpAddress($ip))->getSubnet();
$anonHashIdentifier = hash('sha512', 'anon::' . $identifier . $ipSubnet);
@@ -98,9 +99,9 @@ class Limiter {
* @param IUser $user
* @throws RateLimitExceededException
*/
- public function registerUserRequest($identifier,
- $userLimit,
- $userPeriod,
+ public function registerUserRequest(string $identifier,
+ int $userLimit,
+ int $userPeriod,
IUser $user) {
$userHashIdentifier = hash('sha512', 'user::' . $identifier . $user->getUID());
$this->register($identifier, $userHashIdentifier, $userPeriod, $userLimit);