From c5fbe5a7bc2ce6f808f1e604b9ba46980bd76908 Mon Sep 17 00:00:00 2001
From: Marcel Klehr <mklehr@gmx.net>
Date: Wed, 18 Oct 2023 10:51:28 +0200
Subject: enh(TextToImage): Add bruteforce protection for anonymous API usage

Signed-off-by: Marcel Klehr <mklehr@gmx.net>
---
 core/Controller/TextToImageApiController.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'core/Controller')

diff --git a/core/Controller/TextToImageApiController.php b/core/Controller/TextToImageApiController.php
index 02692f09cdf..7a5e81ebcbf 100644
--- a/core/Controller/TextToImageApiController.php
+++ b/core/Controller/TextToImageApiController.php
@@ -35,6 +35,7 @@ use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\Attribute\UserRateLimit;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\FileDisplayResponse;
+use OCP\Files\NotFoundException;
 use OCP\IL10N;
 use OCP\IRequest;
 use OCP\TextToImage\Exception\TaskNotFoundException;
@@ -111,6 +112,7 @@ class TextToImageApiController extends \OCP\AppFramework\OCSController {
 	 * 404: Task not found
 	 */
 	#[PublicPage]
+	#[AnonRateLimit(limit: 5, period: 120)]
 	public function getTask(int $id): DataResponse {
 		try {
 			$task = $this->textToImageManager->getUserTask($id, $this->userId);
@@ -139,12 +141,13 @@ class TextToImageApiController extends \OCP\AppFramework\OCSController {
 	 * 404: Task not found
 	 */
 	#[PublicPage]
+	#[AnonRateLimit(limit: 5, period: 120)]
 	public function getImage(int $id): DataResponse|FileDisplayResponse {
 		try {
 			$task = $this->textToImageManager->getUserTask($id, $this->userId);
 			try {
 				$folder = $this->appData->getFolder('text2image');
-			} catch(\OCP\Files\NotFoundException) {
+			} catch(NotFoundException) {
 				$folder = $this->appData->newFolder('text2image');
 			}
 			$file = $folder->getFile((string)$task->getId());
@@ -155,7 +158,7 @@ class TextToImageApiController extends \OCP\AppFramework\OCSController {
 			return new DataResponse(['message' => $this->l->t('Task not found')], Http::STATUS_NOT_FOUND);
 		} catch (\RuntimeException) {
 			return new DataResponse(['message' => $this->l->t('Internal error')], Http::STATUS_INTERNAL_SERVER_ERROR);
-		} catch (\OCP\Files\NotFoundException) {
+		} catch (NotFoundException) {
 			return new DataResponse(['message' => $this->l->t('Image not found')], Http::STATUS_NOT_FOUND);
 		}
 	}
@@ -171,6 +174,7 @@ class TextToImageApiController extends \OCP\AppFramework\OCSController {
 	 * 404: Task not found
 	 */
 	#[NoAdminRequired]
+	#[AnonRateLimit(limit: 5, period: 120)]
 	public function deleteTask(int $id): DataResponse {
 		try {
 			$task = $this->textToImageManager->getUserTask($id, $this->userId);
@@ -201,6 +205,7 @@ class TextToImageApiController extends \OCP\AppFramework\OCSController {
 	 *  200: Task list returned
 	 */
 	#[NoAdminRequired]
+	#[AnonRateLimit(limit: 5, period: 120)]
 	public function listTasksByApp(string $appId, ?string $identifier = null): DataResponse {
 		try {
 			$tasks = $this->textToImageManager->getUserTasksByApp($this->userId, $appId, $identifier);
-- 
cgit v1.2.3