From d6a2f00befda97f25f13dae8c11be75077a358a2 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Tue, 22 Jun 2021 19:54:13 +0200
Subject: Throttle on public DAV endpoint

We should throttle whenever an invalid request is sent to the public WebDAV endpoint.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
---
 apps/dav/lib/Connector/PublicAuth.php | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

(limited to 'apps/dav/lib/Connector')

diff --git a/apps/dav/lib/Connector/PublicAuth.php b/apps/dav/lib/Connector/PublicAuth.php
index 55d2de72228..426cbf871d7 100644
--- a/apps/dav/lib/Connector/PublicAuth.php
+++ b/apps/dav/lib/Connector/PublicAuth.php
@@ -29,6 +29,7 @@
  */
 namespace OCA\DAV\Connector;
 
+use OC\Security\Bruteforce\Throttler;
 use OCP\IRequest;
 use OCP\ISession;
 use OCP\Share\Exceptions\ShareNotFound;
@@ -42,6 +43,7 @@ use Sabre\DAV\Auth\Backend\AbstractBasic;
  * @package OCA\DAV\Connector
  */
 class PublicAuth extends AbstractBasic {
+	private const BRUTEFORCE_ACTION = 'public_webdav_auth';
 
 	/** @var \OCP\Share\IShare */
 	private $share;
@@ -55,17 +57,23 @@ class PublicAuth extends AbstractBasic {
 	/** @var IRequest */
 	private $request;
 
+	/** @var Throttler */
+	private $throttler;
+
 	/**
 	 * @param IRequest $request
 	 * @param IManager $shareManager
 	 * @param ISession $session
+	 * @param Throttler $throttler
 	 */
 	public function __construct(IRequest $request,
 								IManager $shareManager,
-								ISession $session) {
+								ISession $session,
+								Throttler $throttler) {
 		$this->request = $request;
 		$this->shareManager = $shareManager;
 		$this->session = $session;
+		$this->throttler = $throttler;
 
 		// setup realm
 		$defaults = new \OCP\Defaults();
@@ -85,9 +93,12 @@ class PublicAuth extends AbstractBasic {
 	 * @throws \Sabre\DAV\Exception\NotAuthenticated
 	 */
 	protected function validateUserPass($username, $password) {
+		$this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), self::BRUTEFORCE_ACTION);
+
 		try {
 			$share = $this->shareManager->getShareByToken($username);
 		} catch (ShareNotFound $e) {
+			$this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
 			return false;
 		}
 
@@ -112,11 +123,14 @@ class PublicAuth extends AbstractBasic {
 						header('WWW-Authenticate: DummyBasic realm="' . $this->realm . '"');
 						throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls');
 					}
+
+					$this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
 					return false;
 				}
 			} elseif ($share->getShareType() === IShare::TYPE_REMOTE) {
 				return true;
 			} else {
+				$this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
 				return false;
 			}
 		} else {
-- 
cgit v1.2.3