mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Throttle requests to unknown tokens 

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma 2018-04-23 22:43:08 +02:00
parent b6c58e75b7
commit 392337fa13
No known key found for this signature in database
GPG Key ID: F941078878347C0C
3 changed files with 28 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
apps/dav/appinfo/v2/direct.php
View File

@ -38,7 +38,10 @@ $server = $serverFactory->createServer(
$baseuri, $baseuri,
$requestUri, $requestUri,
\OC::$server->getRootFolder(), \OC::$server->getRootFolder(),
\OC::$server->query(\OCA\DAV\Db\DirectMapper::class) \OC::$server->query(\OCA\DAV\Db\DirectMapper::class),
\OC::$server->query(\OCP\AppFramework\Utility\ITimeFactory::class),
\OC::$server->getBruteForceThrottler(),
\OC::$server->getRequest()
); );
$server->exec(); $server->exec();

18
apps/dav/lib/Direct/DirectHome.php
View File

@ -24,10 +24,12 @@ declare(strict_types=1);
namespace OCA\DAV\Direct; namespace OCA\DAV\Direct;
use OC\Security\Bruteforce\Throttler;
use OCA\DAV\Db\DirectMapper; use OCA\DAV\Db\DirectMapper;
use OCP\AppFramework\Db\DoesNotExistException; use OCP\AppFramework\Db\DoesNotExistException;
use OCP\AppFramework\Utility\ITimeFactory; use OCP\AppFramework\Utility\ITimeFactory;
use OCP\Files\IRootFolder; use OCP\Files\IRootFolder;
use OCP\IRequest;
use Sabre\DAV\Exception\Forbidden; use Sabre\DAV\Exception\Forbidden;
use Sabre\DAV\Exception\MethodNotAllowed; use Sabre\DAV\Exception\MethodNotAllowed;
use Sabre\DAV\Exception\NotFound; use Sabre\DAV\Exception\NotFound;
@ -44,12 +46,22 @@ class DirectHome implements ICollection {
/** @var ITimeFactory */ /** @var ITimeFactory */
private $timeFactory; private $timeFactory;
/** @var Throttler */
private $throttler;
/** @var IRequest */
private $request;
public function __construct(IRootFolder $rootFolder, public function __construct(IRootFolder $rootFolder,
DirectMapper $mapper, DirectMapper $mapper,
ITimeFactory $timeFactory) { ITimeFactory $timeFactory,
Throttler $throttler,
IRequest $request) {
$this->rootFolder = $rootFolder; $this->rootFolder = $rootFolder;
$this->mapper = $mapper; $this->mapper = $mapper;
$this->timeFactory = $timeFactory; $this->timeFactory = $timeFactory;
$this->throttler = $throttler;
$this->request = $request;
} }
public function createFile($name, $data = null) { public function createFile($name, $data = null) {
@ -71,7 +83,9 @@ class DirectHome implements ICollection {
return new DirectFile($direct, $this->rootFolder); return new DirectFile($direct, $this->rootFolder);
} catch (DoesNotExistException $e) { } catch (DoesNotExistException $e) {
//TODO: throttle the ip to avoid brute forcing // Since the token space is so huge only throttle on non exsisting token
$this->throttler->registerAttempt('directlink', $this->request->getRemoteAddress());
$this->throttler->sleepDelay($this->request->getRemoteAddress(), 'directlink');
throw new NotFound(); throw new NotFound();
} }

10
apps/dav/lib/Direct/ServerFactory.php
View File

@ -24,9 +24,12 @@ declare(strict_types=1);
namespace OCA\DAV\Direct; namespace OCA\DAV\Direct;
use OC\Security\Bruteforce\Throttler;
use OCA\DAV\Db\DirectMapper; use OCA\DAV\Db\DirectMapper;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\Files\IRootFolder; use OCP\Files\IRootFolder;
use OCP\IConfig; use OCP\IConfig;
use OCP\IRequest;
class ServerFactory { class ServerFactory {
/** @var IConfig */ /** @var IConfig */
@ -39,8 +42,11 @@ class ServerFactory {
public function createServer(string $baseURI, public function createServer(string $baseURI,
string $requestURI, string $requestURI,
IRootFolder $rootFolder, IRootFolder $rootFolder,
DirectMapper $mapper) { DirectMapper $mapper,
$home = new DirectHome($rootFolder, $mapper); ITimeFactory $timeFactory,
Throttler $throttler,
IRequest $request): Server {
$home = new DirectHome($rootFolder, $mapper, $timeFactory, $throttler, $request);
$server = new Server($home); $server = new Server($home);
$server->httpRequest->setUrl($requestURI); $server->httpRequest->setUrl($requestURI);