From fe780945e2c1f9cd57b3a5f4b3e275ef45c7cb6e Mon Sep 17 00:00:00 2001
From: Hamza Mahjoubi <hamzamahjoubi221@gmail.com>
Date: Fri, 5 Apr 2024 00:00:49 +0200
Subject: fix(dav): Rate limit address book creation

Signed-off-by: Hamza Mahjoubi <hamzamahjoubi221@gmail.com>
---
 .../CardDAV/Security/CardDavRateLimitingPlugin.php | 87 ++++++++++++++++++++++
 1 file changed, 87 insertions(+)
 create mode 100644 apps/dav/lib/CardDAV/Security/CardDavRateLimitingPlugin.php

(limited to 'apps/dav/lib/CardDAV')

diff --git a/apps/dav/lib/CardDAV/Security/CardDavRateLimitingPlugin.php b/apps/dav/lib/CardDAV/Security/CardDavRateLimitingPlugin.php
new file mode 100644
index 00000000000..65f20a955fd
--- /dev/null
+++ b/apps/dav/lib/CardDAV/Security/CardDavRateLimitingPlugin.php
@@ -0,0 +1,87 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\DAV\CardDAV\Security;
+
+use OC\Security\RateLimiting\Exception\RateLimitExceededException;
+use OC\Security\RateLimiting\Limiter;
+use OCA\DAV\CardDAV\CardDavBackend;
+use OCA\DAV\Connector\Sabre\Exception\TooManyRequests;
+use OCP\IAppConfig;
+use OCP\IUserManager;
+use Psr\Log\LoggerInterface;
+use Sabre\DAV;
+use Sabre\DAV\Exception\Forbidden;
+use Sabre\DAV\ServerPlugin;
+use function count;
+use function explode;
+
+class CardDavRateLimitingPlugin extends ServerPlugin {
+	private ?string $userId;
+
+	public function __construct(private Limiter $limiter,
+		private IUserManager $userManager,
+		private CardDavBackend $cardDavBackend,
+		private LoggerInterface $logger,
+		private IAppConfig $config,
+		?string $userId) {
+		$this->limiter = $limiter;
+		$this->userManager = $userManager;
+		$this->cardDavBackend = $cardDavBackend;
+		$this->config = $config;
+		$this->logger = $logger;
+		$this->userId = $userId;
+	}
+
+	public function initialize(DAV\Server $server): void {
+		$server->on('beforeBind', [$this, 'beforeBind'], 1);
+	}
+
+	public function beforeBind(string $path): void {
+		if ($this->userId === null) {
+			// We only care about authenticated users here
+			return;
+		}
+		$user = $this->userManager->get($this->userId);
+		if ($user === null) {
+			// We only care about authenticated users here
+			return;
+		}
+
+		$pathParts = explode('/', $path);
+		if (count($pathParts) === 4 && $pathParts[0] === 'addressbooks') {
+			// Path looks like addressbooks/users/username/addressbooksname so a new addressbook is created
+			try {
+				$this->limiter->registerUserRequest(
+					'carddav-create-address-book',
+					$this->config->getValueInt('dav', 'rateLimitAddressBookCreation', 10),
+					$this->config->getValueInt('dav', 'rateLimitPeriodAddressBookCreation', 3600),
+					$user
+				);
+			} catch (RateLimitExceededException $e) {
+				throw new TooManyRequests('Too many addressbooks created', 0, $e);
+			}
+
+			$addressBookLimit = $this->config->getValueInt('dav', 'maximumAdressbooks', 10);
+			if ($addressBookLimit === -1) {
+				return;
+			}
+			$numAddressbooks = $this->cardDavBackend->getAddressBooksForUserCount('principals/users/' . $user->getUID());
+
+			if ($numAddressbooks >= $addressBookLimit) {
+				$this->logger->warning('Maximum number of address books reached', [
+					'addressbooks' => $numAddressbooks,
+					'addressBookLimit' => $addressBookLimit,
+				]);
+				throw new Forbidden('AddressBook limit reached', 0);
+			}
+		}
+	}
+
+}
-- 
cgit v1.2.3