From 338ab643657802c572f8515c8ecc354e34df17c7 Mon Sep 17 00:00:00 2001 From: skjnldsv Date: Wed, 19 Feb 2025 16:10:19 +0100 Subject: [PATCH 1/4] fix(files_sharing): rate limit share creation 10 times per 10 minutes Signed-off-by: skjnldsv --- apps/files_sharing/lib/Controller/ShareAPIController.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/files_sharing/lib/Controller/ShareAPIController.php b/apps/files_sharing/lib/Controller/ShareAPIController.php index 1e1d60aae25ac..cffe82beb1c85 100644 --- a/apps/files_sharing/lib/Controller/ShareAPIController.php +++ b/apps/files_sharing/lib/Controller/ShareAPIController.php @@ -558,6 +558,7 @@ public function deleteShare(string $id): DataResponse { * 200: Share created */ #[NoAdminRequired] + #[UserRateLimit(limit: 10, period: 600)] public function createShare( ?string $path = null, ?int $permissions = null, @@ -2150,7 +2151,7 @@ private function checkInheritedAttributes(IShare $share): void { * 200: The email notification was sent successfully */ #[NoAdminRequired] - #[UserRateLimit(limit: 5, period: 120)] + #[UserRateLimit(limit: 10, period: 600)] public function sendShareEmail(string $id, $password = ''): DataResponse { try { $share = $this->getShareById($id); From 59d1a49acc5661d762f9831cfecce3f2d7544153 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Tue, 15 Apr 2025 08:45:50 +0200 Subject: [PATCH 2/4] test: Disable ratelimit as tests trigger it Signed-off-by: Joas Schilling --- build/integration/run.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build/integration/run.sh b/build/integration/run.sh index 4515cd459ae75..cbd3cceb3d163 100755 --- a/build/integration/run.sh +++ b/build/integration/run.sh @@ -20,6 +20,8 @@ INSTALLED=$($OCC status | grep installed: | cut -d " " -f 5) if [ "$INSTALLED" == "true" ]; then # Disable bruteforce protection because the integration tests do trigger them $OCC config:system:set auth.bruteforce.protection.enabled --value false --type bool + # Disable rate limit protection because the integration tests do trigger them + $OCC config:system:set ratelimit.protection.enabled --value false --type bool # Allow local remote urls otherwise we can not share $OCC config:system:set allow_local_remote_servers --value true --type bool # Allow self signed certificates From 75063cd71b9ae6129717472a1a99567ebe27a4f2 Mon Sep 17 00:00:00 2001 From: skjnldsv Date: Tue, 15 Apr 2025 10:05:39 +0200 Subject: [PATCH 3/4] test: enable rate limiting for ratelimiting.feature Signed-off-by: skjnldsv --- build/integration/config/behat.yml | 11 +++++++ .../bootstrap/RateLimitingContext.php | 30 +++++++++++++++++++ .../ratelimiting.feature | 1 + 3 files changed, 42 insertions(+) create mode 100644 build/integration/features/bootstrap/RateLimitingContext.php rename build/integration/{features => ratelimiting_features}/ratelimiting.feature (99%) diff --git a/build/integration/config/behat.yml b/build/integration/config/behat.yml index eec8b5b77fcad..45db510583891 100644 --- a/build/integration/config/behat.yml +++ b/build/integration/config/behat.yml @@ -243,3 +243,14 @@ default: regular_user_password: 123456 - RemoteContext: remote: http://localhost:8080 + + ratelimiting: + paths: + - "%paths.base%/../ratelimiting_features" + contexts: + - RateLimitingContext: + baseUrl: http://localhost:8080 + admin: + - admin + - admin + regular_user_password: 123456 \ No newline at end of file diff --git a/build/integration/features/bootstrap/RateLimitingContext.php b/build/integration/features/bootstrap/RateLimitingContext.php new file mode 100644 index 0000000000000..ca198dc551489 --- /dev/null +++ b/build/integration/features/bootstrap/RateLimitingContext.php @@ -0,0 +1,30 @@ +runOcc(['config:system:set', 'ratelimit.protection.enabled', '--value', 'true', '--type', 'bool']); + } + + /** + * @AfterScenario @RateLimiting + */ + public function disableRateLimiting() { + // Restore the default rate limiting configuration. + // Ratelimiting is disabled by default, so we need to disable it + $this->runOcc(['config:system:set', 'ratelimit.protection.enabled', '--value', 'false', '--type', 'bool']); + } +} diff --git a/build/integration/features/ratelimiting.feature b/build/integration/ratelimiting_features/ratelimiting.feature similarity index 99% rename from build/integration/features/ratelimiting.feature rename to build/integration/ratelimiting_features/ratelimiting.feature index a2fca2fc6be51..43cfddec85daa 100644 --- a/build/integration/features/ratelimiting.feature +++ b/build/integration/ratelimiting_features/ratelimiting.feature @@ -1,5 +1,6 @@ # SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors # SPDX-License-Identifier: AGPL-3.0-or-later +@RateLimiting Feature: ratelimiting Background: From 50dcbdeec6d6ea87bc29406962ba68002dee2c78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?John=20Molakvo=C3=A6?= Date: Tue, 15 Apr 2025 10:32:47 +0200 Subject: [PATCH 4/4] fix(files_sharing): adjust rate limit share creation to 20 over 10 minutes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: John Molakvoæ --- apps/files_sharing/lib/Controller/ShareAPIController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/files_sharing/lib/Controller/ShareAPIController.php b/apps/files_sharing/lib/Controller/ShareAPIController.php index cffe82beb1c85..65061a1384de8 100644 --- a/apps/files_sharing/lib/Controller/ShareAPIController.php +++ b/apps/files_sharing/lib/Controller/ShareAPIController.php @@ -558,7 +558,7 @@ public function deleteShare(string $id): DataResponse { * 200: Share created */ #[NoAdminRequired] - #[UserRateLimit(limit: 10, period: 600)] + #[UserRateLimit(limit: 20, period: 600)] public function createShare( ?string $path = null, ?int $permissions = null,