Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(files_sharing): rate limit share creation 10 times per 10 minutes #50905

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix(files_sharing): rate limit share creation 10 times per 10 minutes #50905

wants to merge 2 commits into from
+2 −1

Conversation

skjnldsv
Copy link
Member

And adjust existing email sending UserRateLimit

@skjnldsv skjnldsv added the 3. to review Waiting for reviews label Feb 19, 2025
@skjnldsv skjnldsv added this to the Nextcloud 32 milestone Feb 19, 2025
@skjnldsv skjnldsv requested review from nickvergessen, provokateurin and a team February 19, 2025 15:12
@skjnldsv skjnldsv self-assigned this Feb 19, 2025
@skjnldsv skjnldsv requested review from yemkareems and come-nc and removed request for a team February 19, 2025 15:12
@skjnldsv
Copy link
Member Author

/backport to stable31

@skjnldsv
Copy link
Member Author

/backport to stable30

@skjnldsv @susnux
fix(files_sharing): UserRateLimit period attribute
6575855 
Co-authored-by: Ferdinand Thiessen <[email protected]>
Signed-off-by: John Molakvoæ <[email protected]>
@skjnldsv skjnldsv requested a review from susnux February 20, 2025 13:24
susnux
susnux approved these changes Feb 20, 2025
View reviewed changes
Copy link
Contributor

@susnux susnux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure about the values, but code is fine.

apps/files_sharing/lib/Controller/ShareAPIController.php
@@ -557,6 +557,7 @@ public function deleteShare(string $id): DataResponse {
* 200: Share created
*/
#[NoAdminRequired]
#[UserRateLimit(limit: 10, period: 600)]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can imagine valide use cases with higher rate, e.g. share to a list of emails.
So I would think 30s is a valid interval for humans here (20 per 10 minutes)?

@susnux
Copy link
Contributor

susnux commented Feb 20, 2025

For integration tests you need to create some app config for bruteForce with whitelist_1 and value the local ip in the test setup so that the tests are not rate limited.

@skjnldsv
Copy link
Member Author

Not sure about the values, but code is fine.

yeah, me neither tbh 🤷
I used Joas's suggestion

@skjnldsv
Copy link
Member Author

Integration needs excemption from rate limiting 🙈

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@susnux susnux susnux approved these changes

@come-nc come-nc come-nc approved these changes

@nickvergessen nickvergessen Awaiting requested review from nickvergessen

@provokateurin provokateurin Awaiting requested review from provokateurin

@yemkareems yemkareems Awaiting requested review from yemkareems yemkareems was automatically assigned from nextcloud/server-backend

Assignees

@skjnldsv skjnldsv

Labels
3. to review Waiting for reviews backport-request
Projects
None yet
Milestone
Nextcloud 32
Development

Successfully merging this pull request may close these issues.
3 participants
@skjnldsv @susnux @come-nc