diff options
| author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2021-05-12 11:07:28 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-05-12 11:07:28 +0300 |
| commit | 024ed97e7eef00f51d896672aee6bf7684619870 (patch) | |
| tree | ff041577a22dcb9856944ec7a633fa904c6a67d5 | |
| parent | 0599a8060ceb6518bb3981c88fc14f215d80f562 (diff) | |
| parent | 701294520aad315aeae06b03160830a375e98599 (diff) | |
Merge pull request #26945 from nextcloud/enh/shareinfo/throttle
Add bruteforce protection to the shareinfo endpoint
| -rw-r--r-- | apps/files_sharing/lib/Controller/ShareInfoController.php | 16 | ||||
| -rw-r--r-- | apps/files_sharing/tests/Controller/ShareInfoControllerTest.php | 3 |
2 files changed, 14 insertions, 5 deletions
diff --git a/apps/files_sharing/lib/Controller/ShareInfoController.php b/apps/files_sharing/lib/Controller/ShareInfoController.php index 315a562abef..0fe98a32c7d 100644 --- a/apps/files_sharing/lib/Controller/ShareInfoController.php +++ b/apps/files_sharing/lib/Controller/ShareInfoController.php @@ -48,7 +48,7 @@ class ShareInfoController extends ApiController { * @param IRequest $request * @param IManager $shareManager */ - public function __construct($appName, + public function __construct(string $appName, IRequest $request, IManager $shareManager) { parent::__construct($appName, $request); @@ -59,26 +59,32 @@ class ShareInfoController extends ApiController { /** * @PublicPage * @NoCSRFRequired + * @BruteForceProtection(action=shareinfo) * * @param string $t * @param null $password * @param null $dir * @return JSONResponse - * @throws ShareNotFound */ public function info($t, $password = null, $dir = null) { try { $share = $this->shareManager->getShareByToken($t); } catch (ShareNotFound $e) { - return new JSONResponse([], Http::STATUS_NOT_FOUND); + $response = new JSONResponse([], Http::STATUS_NOT_FOUND); + $response->throttle(['token' => $t]); + return $response; } if ($share->getPassword() && !$this->shareManager->checkPassword($share, $password)) { - return new JSONResponse([], Http::STATUS_FORBIDDEN); + $response = new JSONResponse([], Http::STATUS_FORBIDDEN); + $response->throttle(['token' => $t]); + return $response; } if (!($share->getPermissions() & Constants::PERMISSION_READ)) { - return new JSONResponse([], Http::STATUS_FORBIDDEN); + $response = new JSONResponse([], Http::STATUS_FORBIDDEN); + $response->throttle(['token' => $t]); + return $response; } $permissionMask = $share->getPermissions(); diff --git a/apps/files_sharing/tests/Controller/ShareInfoControllerTest.php b/apps/files_sharing/tests/Controller/ShareInfoControllerTest.php index 9ea93b9900a..5de04d8444b 100644 --- a/apps/files_sharing/tests/Controller/ShareInfoControllerTest.php +++ b/apps/files_sharing/tests/Controller/ShareInfoControllerTest.php @@ -66,6 +66,7 @@ class ShareInfoControllerTest extends TestCase { ->willThrowException(new ShareNotFound()); $expected = new JSONResponse([], Http::STATUS_NOT_FOUND); + $expected->throttle(['token' => 'token']); $this->assertEquals($expected, $this->controller->info('token')); } @@ -82,6 +83,7 @@ class ShareInfoControllerTest extends TestCase { ->willReturn(false); $expected = new JSONResponse([], Http::STATUS_FORBIDDEN); + $expected->throttle(['token' => 'token']); $this->assertEquals($expected, $this->controller->info('token', 'pass')); } @@ -100,6 +102,7 @@ class ShareInfoControllerTest extends TestCase { ->willReturn(true); $expected = new JSONResponse([], Http::STATUS_FORBIDDEN); + $expected->throttle(['token' => 'token']); $this->assertEquals($expected, $this->controller->info('token', 'pass')); } |