Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add brute force protection on all methods wrapped by PublicShareMiddleware #35057

Merged
merged 1 commit into from
Dec 7, 2022
Merged

Add brute force protection on all methods wrapped by PublicShareMiddleware #35057

merged 1 commit into from
Dec 7, 2022

Conversation

julien-nc
Copy link
Member

@julien-nc julien-nc commented Nov 9, 2022
edited
Loading

This adds a rate limit on all methods wrapped by PublicShareMiddleware if an invalid token is provided.

As the token check does not happen in the controller methods but in the middleware, we can't use the @AnonRateThrottle annotation on those methods.

Remaining questions:

  • Does it make sense to use the brute force protection mechanism instead? If so, same issue, we can't use the annotation in the controller.
  • Do the limit (10) and period (120) values make sense?
  • Does it make sense to call registerAnonRequest only if the token check fails like it's done here?
    • It could be called in other cases
    • Where should it be called to apply the limit when the token is correct but the password is wrong?

@julien-nc julien-nc added this to the Nextcloud 25.0.2 milestone Nov 9, 2022
@nickvergessen
Copy link
Member

This adds a rate limit on all methods wrapped by PublicShareMiddleware if an invalid token is provided.

Sounds like you want to do brute force protection, not rate limiting.

  • Rate limiting is for correct usage, but you want to prevent abuse, e.g. we could rate limit guests so they can only post 10 chat messages per 60 seconds.
  • Brute force protection is to prevent guessing access, e.g. log every attempt of accessing a room that does not exist and then return without trying after X failed attempts

But seems like I should extend the docs with this a bit going forward.

@nickvergessen
Copy link
Member

If so, same issue, we can't use the annotation in the controller.

Let's have a look together tomorrow

@julien-nc
Copy link
Member Author

julien-nc commented Nov 10, 2022
edited
Loading

@nickvergessen Thanks for the explanation. Better like this?

It still only protects against incorrect token attempts but not against incorrect share password.

I'll squash the commits later if needed.

@julien-nc julien-nc added 3. to review Waiting for reviews and removed 2. developing Work in progress labels Nov 14, 2022
@julien-nc
Copy link
Member Author

This now also protects against invalid password attempts.

@julien-nc julien-nc force-pushed the enh/noid/rate-limit-public-share-endpoints branch from 6a817c5 to f08e207 Compare November 17, 2022 08:47
@julien-nc
Copy link
Member Author

Rebased and squashed.
@nickvergessen What do you think?

@nickvergessen nickvergessen changed the title Add rate limit on all methods wrapped by PublicShareMiddleware Add brute force protection on all methods wrapped by PublicShareMiddleware Nov 17, 2022
nickvergessen
nickvergessen reviewed Nov 17, 2022
View reviewed changes
lib/private/AppFramework/Middleware/PublicShare/PublicShareMiddleware.php
$controllerClassPath = explode('\\', get_class($controller));
$controllerShortClass = end($controllerClassPath);
$bruteforceProtectionAction = $controllerShortClass . '::' . $methodName;
$this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), $bruteforceProtectionAction);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we read if the controller itself has the annotation and then reuse that action or better not do anything, so it's not double slowed?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically we can, just like the BruteForceMiddleware does.
But as you said, what if the ShareController is handled by the BruteForceMiddleware in the future? sleepDelayOrThrowOnMax would be called twice.

Also it would probably bring some confusion. Why would the PublicShareMiddleware care about annotations that are bruteforce-related?
I think it's fine the way we do it. All methods having the token/password check are bruteforce protected.

Only weird aspect of this is when reading the controllers...nothing mentions bruteforce protection in OCA\Files_Sharing\Controller\PublicShareController and OCA\Files_Sharing\Controller\ShareController.
Should we add explicit comments pointing to the PublicShareMiddleware in those controllers? And/or in the AuthPublicShareController and PublicShareController?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nickvergessen I kinda answered your question 😁. IMO it's fine and clearer like it is now.

nickvergessen
nickvergessen reviewed Nov 17, 2022
View reviewed changes
Copy link
Member

@nickvergessen nickvergessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good 👍🏽

But the one question is still up

@blizzz blizzz mentioned this pull request Nov 21, 2022
Merged
1 task
@blizzz blizzz modified the milestones: Nextcloud 25.0.2, Nextcloud 26 Nov 21, 2022
@blizzz
Copy link
Member

blizzz commented Nov 21, 2022

ℹ️ master is 26

@julien-nc julien-nc force-pushed the enh/noid/rate-limit-public-share-endpoints branch from f08e207 to eb5cbe0 Compare November 24, 2022 10:01
@julien-nc julien-nc force-pushed the enh/noid/rate-limit-public-share-endpoints branch from eb5cbe0 to 8f6db2e Compare December 5, 2022 16:27
@julien-nc
use bruteforce protection on all methods wrapped by PublicShareMiddle…
4a3f3be 
…ware

if an invalid token is provided or when share password is wrong

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc julien-nc force-pushed the enh/noid/rate-limit-public-share-endpoints branch from 8f6db2e to 4a3f3be Compare December 7, 2022 12:25
@julien-nc julien-nc merged commit 1357cf6 into master Dec 7, 2022
@julien-nc julien-nc deleted the enh/noid/rate-limit-public-share-endpoints branch December 7, 2022 13:08
@julien-nc
Copy link
Member Author

/backport to stable25

@julien-nc
Copy link
Member Author

/backport to stable24

@julien-nc
Copy link
Member Author

/backport to stable23

@backportbot-nextcloud
Copy link

The backport to stable25 failed. Please do this backport manually.

@backportbot-nextcloud
Copy link

The backport to stable24 failed. Please do this backport manually.

@backportbot-nextcloud
Copy link

The backport to stable23 failed. Please do this backport manually.

julien-nc added a commit that referenced this pull request Dec 7, 2022
@julien-nc
manual backport of #35057
bc97ff7 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc julien-nc mentioned this pull request Dec 7, 2022
Merged
julien-nc added a commit that referenced this pull request Dec 7, 2022
@julien-nc
manual backport of #35057
5d38ccc 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
julien-nc added a commit that referenced this pull request Dec 7, 2022
@julien-nc
manual backport of #35057
a1f529e 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc julien-nc mentioned this pull request Dec 7, 2022
Merged
julien-nc added a commit that referenced this pull request Dec 7, 2022
@julien-nc
manual backport of #35057
4bb45ce 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc julien-nc mentioned this pull request Dec 7, 2022
Merged
julien-nc added a commit that referenced this pull request Jan 9, 2023
@julien-nc
manual backport of #35057
32a75d8 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
julien-nc added a commit that referenced this pull request Jan 9, 2023
@julien-nc
manual backport of #35057
36bdc96 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
nextcloud-command pushed a commit that referenced this pull request Mar 7, 2023
@julien-nc @nickvergessen
manual backport of #35057
bff2410 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
nextcloud-command pushed a commit that referenced this pull request Mar 7, 2023
@julien-nc @nickvergessen
manual backport of #35057
9e29130 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
nextcloud-command pushed a commit that referenced this pull request Mar 7, 2023
@julien-nc @nickvergessen
manual backport of #35057
aea1b5d 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
julien-nc added a commit that referenced this pull request Mar 15, 2023
@julien-nc
manual backport of #35057
a7d1313 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
julien-nc added a commit that referenced this pull request Mar 15, 2023
@julien-nc
manual backport of #35057
5b08f84 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
julien-nc added a commit that referenced this pull request Mar 15, 2023
@julien-nc
manual backport of #35057
b384a96 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nickvergessen nickvergessen nickvergessen approved these changes

@ChristophWurst ChristophWurst ChristophWurst approved these changes

@juliusknorr juliusknorr Awaiting requested review from juliusknorr

Assignees
No one assigned
Labels
3. to review Waiting for reviews feature: sharing
Projects
None yet
Milestone
Nextcloud 26
Development

Successfully merging this pull request may close these issues.
4 participants
@julien-nc @nickvergessen @blizzz @ChristophWurst