Merge pull request #26945 from nextcloud/enh/shareinfo/throttle

rullzer · web-flow · commit 024ed97e7eef · 2021-05-12T10:07:28.000+02:00
Add bruteforce protection to the shareinfo endpoint
diff --git a/apps/files_sharing/lib/Controller/ShareInfoController.php b/apps/files_sharing/lib/Controller/ShareInfoController.php
@@ -48,7 +48,7 @@ class ShareInfoController extends ApiController {
 	 * @param IRequest $request
 	 * @param IManager $shareManager
 	 */
-	public function __construct($appName,
+	public function __construct(string $appName,
 								IRequest $request,
 								IManager $shareManager) {
 		parent::__construct($appName, $request);
@@ -59,26 +59,32 @@ public function __construct($appName,
 	/**
 	 * @PublicPage
 	 * @NoCSRFRequired
+	 * @BruteForceProtection(action=shareinfo)
 	 *
 	 * @param string $t
 	 * @param null $password
 	 * @param null $dir
 	 * @return JSONResponse
-	 * @throws ShareNotFound
 	 */
 	public function info($t, $password = null, $dir = null) {
 		try {
 			$share = $this->shareManager->getShareByToken($t);
 		} catch (ShareNotFound $e) {
-			return new JSONResponse([], Http::STATUS_NOT_FOUND);
+			$response = new JSONResponse([], Http::STATUS_NOT_FOUND);
+			$response->throttle(['token' => $t]);
+			return $response;
 		}
 
 		if ($share->getPassword() && !$this->shareManager->checkPassword($share, $password)) {
-			return new JSONResponse([], Http::STATUS_FORBIDDEN);
+			$response = new JSONResponse([], Http::STATUS_FORBIDDEN);
+			$response->throttle(['token' => $t]);
+			return $response;
 		}
 
 		if (!($share->getPermissions() & Constants::PERMISSION_READ)) {
-			return new JSONResponse([], Http::STATUS_FORBIDDEN);
+			$response = new JSONResponse([], Http::STATUS_FORBIDDEN);
+			$response->throttle(['token' => $t]);
+			return $response;
 		}
 
 		$permissionMask = $share->getPermissions();
diff --git a/apps/files_sharing/tests/Controller/ShareInfoControllerTest.php b/apps/files_sharing/tests/Controller/ShareInfoControllerTest.php
@@ -66,6 +66,7 @@ public function testNoShare() {
 			->willThrowException(new ShareNotFound());
 
 		$expected = new JSONResponse([], Http::STATUS_NOT_FOUND);
+		$expected->throttle(['token' => 'token']);
 		$this->assertEquals($expected, $this->controller->info('token'));
 	}
 
@@ -82,6 +83,7 @@ public function testWrongPassword() {
 			->willReturn(false);
 
 		$expected = new JSONResponse([], Http::STATUS_FORBIDDEN);
+		$expected->throttle(['token' => 'token']);
 		$this->assertEquals($expected, $this->controller->info('token', 'pass'));
 	}
 
@@ -100,6 +102,7 @@ public function testNoReadPermissions() {
 			->willReturn(true);
 
 		$expected = new JSONResponse([], Http::STATUS_FORBIDDEN);
+		$expected->throttle(['token' => 'token']);
 		$this->assertEquals($expected, $this->controller->info('token', 'pass'));
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -66,6 +66,7 @@ public function testNoShare() {`
`66`	`66`	`->willThrowException(new ShareNotFound());`
`67`	`67`
`68`	`68`	`$expected = new JSONResponse([], Http::STATUS_NOT_FOUND);`
	`69`	`+ $expected->throttle(['token' => 'token']);`
`69`	`70`	`$this->assertEquals($expected, $this->controller->info('token'));`
`70`	`71`	`}`
`71`	`72`
`@@ -82,6 +83,7 @@ public function testWrongPassword() {`
`82`	`83`	`->willReturn(false);`
`83`	`84`
`84`	`85`	`$expected = new JSONResponse([], Http::STATUS_FORBIDDEN);`
	`86`	`+ $expected->throttle(['token' => 'token']);`
`85`	`87`	`$this->assertEquals($expected, $this->controller->info('token', 'pass'));`
`86`	`88`	`}`
`87`	`89`
`@@ -100,6 +102,7 @@ public function testNoReadPermissions() {`
`100`	`102`	`->willReturn(true);`
`101`	`103`
`102`	`104`	`$expected = new JSONResponse([], Http::STATUS_FORBIDDEN);`
	`105`	`+ $expected->throttle(['token' => 'token']);`
`103`	`106`	`$this->assertEquals($expected, $this->controller->info('token', 'pass'));`
`104`	`107`	`}`
`105`	`108`