nextcloud_server

mirror of https://github.com/nextcloud/server.git synced 2025-03-13 07:53:51 +00:00

Author	SHA1	Message	Date
Côme Chilliet	f5c361cf44	composer run cs:fix Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2023-01-20 11:45:08 +01:00
Joas Schilling	c0f47af2d0	Add a public interface for the bruteforce throttler and register for injection Signed-off-by: Joas Schilling <coding@schilljs.com>	2022-07-28 10:57:10 +02:00
Joas Schilling	8274c05e19	Only ignore attempts of the same action Signed-off-by: Joas Schilling <coding@schilljs.com>	2022-07-07 09:35:14 +02:00
Carl Schwan	69b36fc2c5	Don't inject Bruteforce capability info in the webui This capability do DB access and as far I know is not used by the webui. This remove one DB query for each page load. Signed-off-by: Carl Schwan <carl@carlschwan.eu>	2022-04-07 17:33:29 +02:00
Côme Chilliet	6be7aa112f	Migrate from ILogger to LoggerInterface in lib/private Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2022-03-24 16:21:25 +01:00
Joas Schilling	b8e0a3dbdd	Use the new option to signaling insensitivity Signed-off-by: Joas Schilling <coding@schilljs.com>	2022-02-07 13:54:54 +01:00
Joas Schilling	c6d000f87f	Log bruteforce throttle and blocking Signed-off-by: Joas Schilling <coding@schilljs.com>	2022-01-18 10:10:19 +01:00
Joas Schilling	1d550ab95e	Don't query the bruteforce attempts when we just deleted them Signed-off-by: Joas Schilling <coding@schilljs.com>	2021-12-01 18:01:22 +01:00
John Molakvoæ (skjnldsv)	215aef3cbd	Update php licenses Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>	2021-06-04 22:02:41 +02:00
J0WI	ca7b37ce5a	Make Security module strict Signed-off-by: J0WI <J0WI@users.noreply.github.com>	2021-04-19 17:31:12 +02:00
Christoph Wurst	d89a75be0b	Update all license headers for Nextcloud 21 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-12-16 18:48:22 +01:00
Julius Härtl	f5501ca276	Avoid checking for brute force protection capabilities when upgrading This might happen a releases that doesn't have this table yet Signed-off-by: Julius Härtl <jus@bitgrid.net>	2020-12-09 12:13:33 +01:00
Roeland Jago Douma	8fae2beece	Limit throttler to 48 hours Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-10-08 19:51:13 +02:00
Roeland Jago Douma	6c1b542def	Add cleanup job for old brutefoce attempts Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-10-08 19:51:13 +02:00
Christoph Wurst	d9015a8c94	Format code to a single space around binary operators Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-10-05 20:25:24 +02:00
Morris Jobke	99c9423766	Remove @suppress SqlInjectionChecker Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2020-09-16 15:53:56 +02:00
Joas Schilling	c25063dc07	Don't break when the IP is empty Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-09-10 14:20:27 +02:00
Christoph Wurst	2a054e6c04	Update the license headers for Nextcloud 20 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-08-24 14:54:25 +02:00
Joas Schilling	35a8519591	Fix CS Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:36 +02:00
Joas Schilling	770381c0c6	Correctly return ms delay when at max Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:36 +02:00
Joas Schilling	931aca2fee	Add missing default Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:36 +02:00
Joas Schilling	d9c4c9eb99	Simplify array filter Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:36 +02:00
Joas Schilling	dfeee3b850	Fix wrong doc + type hint Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:36 +02:00
Joas Schilling	8376c4891f	Only throw when also the last 30 mins were attacking Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:36 +02:00
Joas Schilling	6f751d01db	Make the throttling O(2^n) instead of O(n^n) Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:36 +02:00
Joas Schilling	64539a6ee1	Make Throttler strict Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:36 +02:00
Joas Schilling	c8fea66d65	Split delay calculation from getting the attempts Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:35 +02:00
Joas Schilling	cdb36c8ead	Let the database count the entries Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:35 +02:00
Joas Schilling	e66bc4a8a7	Send "429 Too Many Requests" in case of brute force protection Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:35 +02:00
Morris Jobke	e57bca31ad	Merge pull request #20005 from joeried/occ-remove-bruteforce-attempts-by-ip Implement occ command to reset bruteforce attemps from a given IP address	2020-05-25 14:04:18 +02:00
Morris Jobke	bd997a105c	Fix code style Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2020-05-25 14:03:21 +02:00
Christoph Wurst	cb057829f7	Update license headers for 19 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-29 11:57:22 +02:00
Christoph Wurst	28f8eb5dba	Add visibility to all constants Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-10 16:54:27 +02:00
Christoph Wurst	caff1023ea	Format control structures, classes, methods and function To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-10 14:19:56 +02:00
Christoph Wurst	14c996d982	Use elseif instead of else if Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-10 10:35:09 +02:00
Christoph Wurst	afbd9c4e6e	Unify function spacing to PSR2 recommendation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-09 13:54:22 +02:00
Johannes Riedel	0c38569c83	Implement occ command security:bruteforceattemps:reset-for-ip Signed-off-by: Johannes Riedel <joeried@users.noreply.github.com>	2020-03-19 16:20:22 +01:00
Christoph Wurst	5bf3d1bb38	Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2019-12-05 15:38:45 +01:00
Roeland Jago Douma	68748d4f85	Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-11-22 20:52:10 +01:00
Roeland Jago Douma	f1ea56b502	Fix the thorrtler whitelist bitmask Before we actually didn't check each bit of the bitmask. Now we do. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-02-11 23:22:20 +01:00
Mark Berezovsky	ad66c6bf08	Fix #9864 : Decrease $maxDelay in Throttler.php Signed-off-by: Mark Berezovsky <xpnf@yandex.ru>	2018-06-15 04:58:08 +03:00
Morris Jobke	5a270c2715	Reset bruteforce attempt table on successful login * only clear the entries that come from the same subnet, same action and same metadata Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2017-11-24 14:58:57 +01:00
Morris Jobke	0eebff152a	Update license headers Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2017-11-06 16:56:19 +01:00
Lukas Reschke	3d2600b039	Add Phan plugin to check for SQL injections This adds a phan plugin which checks for SQL injections on code using our QueryBuilder, while it isn't perfect it should already catch most potential issues. As always, static analysis will sometimes have false positives and this is also here the case. So in some cases the analyzer just doesn't know if something is potential user input or not, thus I had to add some `@suppress SqlInjectionChecker` in front of those potential injections. The Phan plugin hasn't the most awesome code but it works and I also added a file with test cases. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2017-07-20 22:48:13 +02:00
Roeland Jago Douma	6a1f2ac076	Add bruteforce capabilities Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2017-07-13 11:23:08 +02:00
Lukas Reschke	a5ccb31e85	Mark IP as whitelisted if brute force protection is disabled Currently, when disabling the brute force protection no new brute force attempts are logged. However, the ones logged within the last 24 hours will still be used for throttling. This is quite an unexpected behaviour and caused some support issues. With this change when the brute force protection is disabled also the existing attempts within the last 24 hours will be disregarded. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2017-05-01 18:31:45 +02:00
Lukas Reschke	66835476b5	Add support for ratelimiting via annotations This allows adding rate limiting via annotations to controllers, as one example: ``` @UserRateThrottle(limit=5, period=100) @AnonRateThrottle(limit=1, period=100) ``` Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2017-04-13 12:00:16 +02:00
Roeland Jago Douma	be674c19a5	Respect bruteforce settings in the Throttler Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2017-04-02 21:13:50 +02:00
Bjoern Schiessle	df296249d6	introduce brute force protection for api calls Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	2017-01-18 15:25:15 +01:00
Robin Appelman	6c93fe08f5	dont get bruteforce delay twice	2016-08-29 13:36:49 +02:00

1 2

53 commits