Throttle requests to unknown tokens
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma
parent
b6c58e75b7
commit
392337fa13
|
|
@ -38,7 +38,10 @@ $server = $serverFactory->createServer(
|
|||
$baseuri,
|
||||
$requestUri,
|
||||
\OC::$server->getRootFolder(),
|
||||
\OC::$server->query(\OCA\DAV\Db\DirectMapper::class)
|
||||
\OC::$server->query(\OCA\DAV\Db\DirectMapper::class),
|
||||
\OC::$server->query(\OCP\AppFramework\Utility\ITimeFactory::class),
|
||||
\OC::$server->getBruteForceThrottler(),
|
||||
\OC::$server->getRequest()
|
||||
);
|
||||
|
||||
$server->exec();
|
||||
|
|
|
|||
|
|
@ -24,10 +24,12 @@ declare(strict_types=1);
|
|||
|
||||
namespace OCA\DAV\Direct;
|
||||
|
||||
use OC\Security\Bruteforce\Throttler;
|
||||
use OCA\DAV\Db\DirectMapper;
|
||||
use OCP\AppFramework\Db\DoesNotExistException;
|
||||
use OCP\AppFramework\Utility\ITimeFactory;
|
||||
use OCP\Files\IRootFolder;
|
||||
use OCP\IRequest;
|
||||
use Sabre\DAV\Exception\Forbidden;
|
||||
use Sabre\DAV\Exception\MethodNotAllowed;
|
||||
use Sabre\DAV\Exception\NotFound;
|
||||
|
|
@ -44,12 +46,22 @@ class DirectHome implements ICollection {
|
|||
/** @var ITimeFactory */
|
||||
private $timeFactory;
|
||||
|
||||
/** @var Throttler */
|
||||
private $throttler;
|
||||
|
||||
/** @var IRequest */
|
||||
private $request;
|
||||
|
||||
public function __construct(IRootFolder $rootFolder,
|
||||
DirectMapper $mapper,
|
||||
ITimeFactory $timeFactory) {
|
||||
ITimeFactory $timeFactory,
|
||||
Throttler $throttler,
|
||||
IRequest $request) {
|
||||
$this->rootFolder = $rootFolder;
|
||||
$this->mapper = $mapper;
|
||||
$this->timeFactory = $timeFactory;
|
||||
$this->throttler = $throttler;
|
||||
$this->request = $request;
|
||||
}
|
||||
|
||||
public function createFile($name, $data = null) {
|
||||
|
|
@ -71,7 +83,9 @@ class DirectHome implements ICollection {
|
|||
|
||||
return new DirectFile($direct, $this->rootFolder);
|
||||
} catch (DoesNotExistException $e) {
|
||||
//TODO: throttle the ip to avoid brute forcing
|
||||
// Since the token space is so huge only throttle on non exsisting token
|
||||
$this->throttler->registerAttempt('directlink', $this->request->getRemoteAddress());
|
||||
$this->throttler->sleepDelay($this->request->getRemoteAddress(), 'directlink');
|
||||
|
||||
throw new NotFound();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,9 +24,12 @@ declare(strict_types=1);
|
|||
|
||||
namespace OCA\DAV\Direct;
|
||||
|
||||
use OC\Security\Bruteforce\Throttler;
|
||||
use OCA\DAV\Db\DirectMapper;
|
||||
use OCP\AppFramework\Utility\ITimeFactory;
|
||||
use OCP\Files\IRootFolder;
|
||||
use OCP\IConfig;
|
||||
use OCP\IRequest;
|
||||
|
||||
class ServerFactory {
|
||||
/** @var IConfig */
|
||||
|
|
@ -39,8 +42,11 @@ class ServerFactory {
|
|||
public function createServer(string $baseURI,
|
||||
string $requestURI,
|
||||
IRootFolder $rootFolder,
|
||||
DirectMapper $mapper) {
|
||||
$home = new DirectHome($rootFolder, $mapper);
|
||||
DirectMapper $mapper,
|
||||
ITimeFactory $timeFactory,
|
||||
Throttler $throttler,
|
||||
IRequest $request): Server {
|
||||
$home = new DirectHome($rootFolder, $mapper, $timeFactory, $throttler, $request);
|
||||
$server = new Server($home);
|
||||
|
||||
$server->httpRequest->setUrl($requestURI);
|
||||
|
|
|
|||
Loading…
Reference in New Issue