diff options
| author | Joas Schilling <coding@schilljs.com> | 2023-05-11 09:17:30 +0200 |
|---|---|---|
| committer | Joas Schilling <coding@schilljs.com> | 2023-05-15 16:20:19 +0200 |
| commit | 3a6bc7aba2625dd4144e25033fabe8b8f42afb42 (patch) | |
| tree | 65a23b8f04da38d0c1e83e9c238e951c2131261d /lib/private | |
| parent | b9026acf3ffbf8f7ea060761b09bb8ec8b10e62f (diff) | |
| download | nextcloud-server-3a6bc7aba2625dd4144e25033fabe8b8f42afb42.tar.gz nextcloud-server-3a6bc7aba2625dd4144e25033fabe8b8f42afb42.zip | |
fix(middleware): Also abort the request when reaching max delay in afterController
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'lib/private')
| -rw-r--r-- | lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php | 52 |
1 files changed, 30 insertions, 22 deletions
diff --git a/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php b/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php index ba8c7f45b49..2ecd26a68e1 100644 --- a/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php @@ -90,32 +90,40 @@ class BruteForceMiddleware extends Middleware { */ public function afterController($controller, $methodName, Response $response) { if ($response->isThrottled()) { - if ($this->reflector->hasAnnotation('BruteForceProtection')) { - $action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action'); - $ip = $this->request->getRemoteAddress(); - $this->throttler->sleepDelay($ip, $action); - $this->throttler->registerAttempt($action, $ip, $response->getThrottleMetadata()); - } else { - $reflectionMethod = new ReflectionMethod($controller, $methodName); - $attributes = $reflectionMethod->getAttributes(BruteForceProtection::class); - - if (!empty($attributes)) { + try { + if ($this->reflector->hasAnnotation('BruteForceProtection')) { + $action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action'); $ip = $this->request->getRemoteAddress(); - $metaData = $response->getThrottleMetadata(); - - foreach ($attributes as $attribute) { - /** @var BruteForceProtection $protection */ - $protection = $attribute->newInstance(); - $action = $protection->getAction(); - - if (!isset($metaData['action']) || $metaData['action'] === $action) { - $this->throttler->sleepDelay($ip, $action); - $this->throttler->registerAttempt($action, $ip, $metaData); + $this->throttler->registerAttempt($action, $ip, $response->getThrottleMetadata()); + $this->throttler->sleepDelayOrThrowOnMax($ip, $action); + } else { + $reflectionMethod = new ReflectionMethod($controller, $methodName); + $attributes = $reflectionMethod->getAttributes(BruteForceProtection::class); + + if (!empty($attributes)) { + $ip = $this->request->getRemoteAddress(); + $metaData = $response->getThrottleMetadata(); + + foreach ($attributes as $attribute) { + /** @var BruteForceProtection $protection */ + $protection = $attribute->newInstance(); + $action = $protection->getAction(); + + if (!isset($metaData['action']) || $metaData['action'] === $action) { + $this->throttler->registerAttempt($action, $ip, $metaData); + $this->throttler->sleepDelayOrThrowOnMax($ip, $action); + } } + } else { + $this->logger->debug('Response for ' . get_class($controller) . '::' . $methodName . ' got bruteforce throttled but has no annotation nor attribute defined.'); } - } else { - $this->logger->debug('Response for ' . get_class($controller) . '::' . $methodName . ' got bruteforce throttled but has no annotation nor attribute defined.'); } + } catch (MaxDelayReached $e) { + if ($controller instanceof OCSController) { + throw new OCSException($e->getMessage(), Http::STATUS_TOO_MANY_REQUESTS); + } + + return new TooManyRequestsResponse(); } } |