upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-16 12:10:35 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 15
83872 commits 1032 branches 1221 tags 8.7 GiB
Commit graph

72 commits

Author SHA1 Message Date
Joas Schilling
0f183ce8fe
fix(bfp): Trim meta data so it can still be stored 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2025-10-22 15:45:21 +02:00
Joas Schilling
1d8556ecc3
fix(throttler): Don't query bruteforce attempts twice 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2025-05-20 08:37:23 +02:00
Joas Schilling
7964f338dc
fix(throttler): Remove the sleep from the throttler that throws 
The sleep is not adding benefit when it's being aborted with 429
in other cases anyway.

Signed-off-by: Joas Schilling <coding@schilljs.com>
 2025-05-02 11:27:29 +02:00
Joas Schilling
c1655bcde7
fix(ratelimit): Allow to bypass rate-limit from bruteforce allowlist 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2025-01-27 12:46:15 +01:00
Benjamin Gaussorgues
1fd19685f1
chore(bruteforce): allows to configure max attempts before request abort 
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
 2024-12-03 10:48:10 +01:00
Git'Fellow
c254855222 chore(db): Correctly apply query types 
fix: psalm

fix: error

fix: add batch

fix: fatal error

fix: add batch

chore: add batch

chore: add batch

fix: psalm

fix: typo

fix: psalm

fix: return bool

fix: revert Manager
 2024-10-17 09:21:07 +02:00
provokateurin
54ec472d9a
fix(BackgroundJobs): Adjust intervals and time sensitivities 
Signed-off-by: provokateurin <kate@provokateurin.de>
 2024-10-08 11:26:53 +02:00
provokateurin
9836e9b164
chore(deps): Update nextcloud/coding-standard to v1.3.1 
Signed-off-by: provokateurin <kate@provokateurin.de>
 2024-09-19 14:21:20 +02:00
Christoph Wurst
1ee833efab
refactor: Replace __CLASS__ with ::class references 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2024-09-15 21:40:55 +02:00
Daniel Kesselberg
af6de04e9e
style: update codestyle for coding-standard 1.2.3 
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
 2024-08-25 19:34:58 +02:00
Andy Scherzinger
dae7c159f7
chore: Add SPDX header 
Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
 2024-05-24 13:11:22 +02:00
Joas Schilling
aa5f037af7
chore: apply changes from Nextcloud coding standards 1.1.1 
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
 2023-11-23 10:36:13 +01:00
Faraz Samapoor
f313ca92e7 Refactors lib/private/Security. 
Mainly using PHP8's constructor property promotion.

Signed-off-by: Faraz Samapoor <fsa@adlas.at>
 2023-09-27 09:03:15 +03:30
Joas Schilling
124588d4a6
fix: Make bypass function public API 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-08-21 16:40:24 +02:00
Joas Schilling
fd9b2d488e
feat: Expose if the own IP is allowed to bypass bruteforce protection 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-08-21 16:36:04 +02:00
Joas Schilling
abc98d343c
feat(security): Add a "testing mode" for bruteforce protection that doesn't sleep 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-08-21 16:36:03 +02:00
Joas Schilling
a95800c647
feat(security): Add a bruteforce protection backend base on memcache 
Similar to the ratelimit backend

Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-08-21 16:36:03 +02:00
Faraz Samapoor
e7cc7653b8 Refactors "strpos" calls in lib/private to improve code readability. 
Signed-off-by: Faraz Samapoor <fsamapoor@gmail.com>
 2023-05-15 15:17:19 +03:30
Côme Chilliet
426c0341ff
Use typed version of IConfig::getSystemValue as much as possible 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2023-04-05 12:50:08 +02:00
Côme Chilliet
f5c361cf44
composer run cs:fix 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2023-01-20 11:45:08 +01:00
Joas Schilling
c0f47af2d0
Add a public interface for the bruteforce throttler and register for injection 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2022-07-28 10:57:10 +02:00
Joas Schilling
8274c05e19
Only ignore attempts of the same action 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2022-07-07 09:35:14 +02:00
Carl Schwan
69b36fc2c5 Don't inject Bruteforce capability info in the webui 
This capability do DB access and as far I know is not used by the webui.
This remove one DB query for each page load.

Signed-off-by: Carl Schwan <carl@carlschwan.eu>
 2022-04-07 17:33:29 +02:00
Côme Chilliet
6be7aa112f
Migrate from ILogger to LoggerInterface in lib/private 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2022-03-24 16:21:25 +01:00
Joas Schilling
b8e0a3dbdd
Use the new option to signaling insensitivity 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2022-02-07 13:54:54 +01:00
Joas Schilling
c6d000f87f
Log bruteforce throttle and blocking 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2022-01-18 10:10:19 +01:00
Joas Schilling
1d550ab95e
Don't query the bruteforce attempts when we just deleted them 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2021-12-01 18:01:22 +01:00
John Molakvoæ (skjnldsv)
215aef3cbd
Update php licenses 
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
 2021-06-04 22:02:41 +02:00
J0WI
ca7b37ce5a Make Security module strict 
Signed-off-by: J0WI <J0WI@users.noreply.github.com>
 2021-04-19 17:31:12 +02:00
Christoph Wurst
d89a75be0b
Update all license headers for Nextcloud 21 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-12-16 18:48:22 +01:00
Julius Härtl
f5501ca276
Avoid checking for brute force protection capabilities when upgrading 
This might happen a releases that doesn't have this table yet

Signed-off-by: Julius Härtl <jus@bitgrid.net>
 2020-12-09 12:13:33 +01:00
Roeland Jago Douma
8fae2beece
Limit throttler to 48 hours 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2020-10-08 19:51:13 +02:00
Roeland Jago Douma
6c1b542def
Add cleanup job for old brutefoce attempts 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2020-10-08 19:51:13 +02:00
Christoph Wurst
d9015a8c94
Format code to a single space around binary operators 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-10-05 20:25:24 +02:00
Morris Jobke
99c9423766
Remove @suppress SqlInjectionChecker 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2020-09-16 15:53:56 +02:00
Joas Schilling
c25063dc07
Don't break when the IP is empty 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-09-10 14:20:27 +02:00
Christoph Wurst
2a054e6c04
Update the license headers for Nextcloud 20 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-08-24 14:54:25 +02:00
Joas Schilling
35a8519591
Fix CS 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-08-19 11:20:36 +02:00
Joas Schilling
770381c0c6
Correctly return ms delay when at max 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-08-19 11:20:36 +02:00
Joas Schilling
931aca2fee
Add missing default 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-08-19 11:20:36 +02:00
Joas Schilling
d9c4c9eb99
Simplify array filter 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-08-19 11:20:36 +02:00
Joas Schilling
dfeee3b850
Fix wrong doc + type hint 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-08-19 11:20:36 +02:00
Joas Schilling
8376c4891f
Only throw when also the last 30 mins were attacking 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-08-19 11:20:36 +02:00
Joas Schilling
6f751d01db
Make the throttling O(2^n) instead of O(n^n) 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-08-19 11:20:36 +02:00
Joas Schilling
64539a6ee1
Make Throttler strict 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-08-19 11:20:36 +02:00
Joas Schilling
c8fea66d65
Split delay calculation from getting the attempts 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-08-19 11:20:35 +02:00
Joas Schilling
cdb36c8ead
Let the database count the entries 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-08-19 11:20:35 +02:00
Joas Schilling
e66bc4a8a7
Send "429 Too Many Requests" in case of brute force protection 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-08-19 11:20:35 +02:00
Morris Jobke
e57bca31ad
Merge pull request #20005 from joeried/occ-remove-bruteforce-attempts-by-ip 
Implement occ command to reset bruteforce attemps from a given IP address
 2020-05-25 14:04:18 +02:00
Morris Jobke
bd997a105c
Fix code style 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2020-05-25 14:03:21 +02:00