Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add bruteforce protection in OauthApiController #38773

Merged
merged 1 commit into from
Jun 19, 2023
Merged

Add bruteforce protection in OauthApiController #38773

merged 1 commit into from
Jun 19, 2023

Conversation

julien-nc
Copy link
Member

Client secrets are long so bruteforce attacks are not likely to be effective but still.

@julien-nc julien-nc added 3. to review Waiting for reviews security labels Jun 12, 2023
@julien-nc julien-nc added this to the Nextcloud 28 milestone Jun 12, 2023
@julien-nc julien-nc requested review from AndyScherzinger, ChristophWurst, miaulalala, a team, ArtificialOwl, icewind1991 and blizzz and removed request for a team June 12, 2023 15:42
@julien-nc julien-nc force-pushed the fix/noid/protect-oauth2-api-controller branch from dba26cb to fca8446 Compare June 14, 2023 15:50
@AndyScherzinger
Copy link
Member

/backport to stable27

@AndyScherzinger
Copy link
Member

/backport to stable26

@AndyScherzinger
Copy link
Member

/backport to stable25

@AndyScherzinger
Copy link
Member

/backport to stable24

@miaulalala
Copy link
Contributor

/rebase

@nextcloud-command nextcloud-command force-pushed the fix/noid/protect-oauth2-api-controller branch from fca8446 to 96a850b Compare June 16, 2023 13:25
@julien-nc
add bruteforce protection in OauthApiController
629adc3 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc julien-nc force-pushed the fix/noid/protect-oauth2-api-controller branch from 96a850b to 629adc3 Compare June 19, 2023 09:18
@julien-nc julien-nc merged commit 247c874 into master Jun 19, 2023
@julien-nc julien-nc deleted the fix/noid/protect-oauth2-api-controller branch June 19, 2023 11:46
@backportbot-nextcloud backportbot-nextcloud bot mentioned this pull request Jun 19, 2023
Merged
@backportbot-nextcloud
Copy link

The backport to stable26 failed. Please do this backport manually.

# Switch to the target branch and update it
git checkout stable26
git pull origin stable26

# Create the new backport branch
git checkout -b fix/foo-stable26

# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123

# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable26

More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport

@backportbot-nextcloud backportbot-nextcloud bot mentioned this pull request Jun 19, 2023
Merged
@backportbot-nextcloud
Copy link

The backport to stable24 failed. Please do this backport manually.

# Switch to the target branch and update it
git checkout stable24
git pull origin stable24

# Create the new backport branch
git checkout -b fix/foo-stable24

# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123

# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable24

More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport

@julien-nc
Copy link
Member Author

Backport for stable26 will be easier after #38708 is merged.

@AndyScherzinger Do we really have to backport to stable24?

@nickvergessen
Copy link
Member

Do we really have to backport to stable24?

yes

@julien-nc julien-nc mentioned this pull request Jun 19, 2023
Merged
@AndyScherzinger
Copy link
Member

Do we really have to backport to stable24?

As stated by Joas: yes, we do have support cohorts defined based on the severity of a sec issue the number of years we need to backport the fix is defined - which is why I initially added all the backport commands right away

@nickvergessen
Copy link
Member

/backport to stable26

@julien-nc julien-nc mentioned this pull request Jun 22, 2023
Merged
This was referenced Jul 11, 2023
Merged
Merged
@nextcloud nextcloud deleted a comment from backportbot-nextcloud bot Jul 11, 2023
@nextcloud nextcloud deleted a comment from backportbot-nextcloud bot Jul 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rullzer rullzer rullzer approved these changes

@AndyScherzinger AndyScherzinger AndyScherzinger approved these changes

@ChristophWurst ChristophWurst ChristophWurst approved these changes

@miaulalala miaulalala miaulalala approved these changes

@ArtificialOwl ArtificialOwl Awaiting requested review from ArtificialOwl ArtificialOwl was automatically assigned from nextcloud/server-backend

@icewind1991 icewind1991 Awaiting requested review from icewind1991 icewind1991 was automatically assigned from nextcloud/server-backend

@blizzz blizzz Awaiting requested review from blizzz blizzz was automatically assigned from nextcloud/server-backend

Assignees
No one assigned
Labels
3. to review Waiting for reviews backport-request security
Projects
None yet
Milestone
Nextcloud 28
Development

Successfully merging this pull request may close these issues.
6 participants
@julien-nc @AndyScherzinger @miaulalala @nickvergessen @rullzer @ChristophWurst