Throttle requests to unknown tokens

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma 2018-04-23 22:43:08 +02:00
parent b6c58e75b7
commit 392337fa13
No known key found for this signature in database
GPG Key ID: F941078878347C0C
3 changed files with 28 additions and 5 deletions

View File

@ -38,7 +38,10 @@ $server = $serverFactory->createServer(
$baseuri,
$requestUri,
\OC::$server->getRootFolder(),
\OC::$server->query(\OCA\DAV\Db\DirectMapper::class)
\OC::$server->query(\OCA\DAV\Db\DirectMapper::class),
\OC::$server->query(\OCP\AppFramework\Utility\ITimeFactory::class),
\OC::$server->getBruteForceThrottler(),
\OC::$server->getRequest()
);
$server->exec();

View File

@ -24,10 +24,12 @@ declare(strict_types=1);
namespace OCA\DAV\Direct;
use OC\Security\Bruteforce\Throttler;
use OCA\DAV\Db\DirectMapper;
use OCP\AppFramework\Db\DoesNotExistException;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\Files\IRootFolder;
use OCP\IRequest;
use Sabre\DAV\Exception\Forbidden;
use Sabre\DAV\Exception\MethodNotAllowed;
use Sabre\DAV\Exception\NotFound;
@ -44,12 +46,22 @@ class DirectHome implements ICollection {
/** @var ITimeFactory */
private $timeFactory;
/** @var Throttler */
private $throttler;
/** @var IRequest */
private $request;
public function __construct(IRootFolder $rootFolder,
DirectMapper $mapper,
ITimeFactory $timeFactory) {
ITimeFactory $timeFactory,
Throttler $throttler,
IRequest $request) {
$this->rootFolder = $rootFolder;
$this->mapper = $mapper;
$this->timeFactory = $timeFactory;
$this->throttler = $throttler;
$this->request = $request;
}
public function createFile($name, $data = null) {
@ -71,7 +83,9 @@ class DirectHome implements ICollection {
return new DirectFile($direct, $this->rootFolder);
} catch (DoesNotExistException $e) {
//TODO: throttle the ip to avoid brute forcing
// Since the token space is so huge only throttle on non exsisting token
$this->throttler->registerAttempt('directlink', $this->request->getRemoteAddress());
$this->throttler->sleepDelay($this->request->getRemoteAddress(), 'directlink');
throw new NotFound();
}

View File

@ -24,9 +24,12 @@ declare(strict_types=1);
namespace OCA\DAV\Direct;
use OC\Security\Bruteforce\Throttler;
use OCA\DAV\Db\DirectMapper;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\Files\IRootFolder;
use OCP\IConfig;
use OCP\IRequest;
class ServerFactory {
/** @var IConfig */
@ -39,8 +42,11 @@ class ServerFactory {
public function createServer(string $baseURI,
string $requestURI,
IRootFolder $rootFolder,
DirectMapper $mapper) {
$home = new DirectHome($rootFolder, $mapper);
DirectMapper $mapper,
ITimeFactory $timeFactory,
Throttler $throttler,
IRequest $request): Server {
$home = new DirectHome($rootFolder, $mapper, $timeFactory, $throttler, $request);
$server = new Server($home);
$server->httpRequest->setUrl($requestURI);