1
0
Fork 0
mirror of synced 2024-06-01 10:29:48 +12:00

Merge branch 'master' of https://github.com/appwrite/appwrite into feat-database-indexing

This commit is contained in:
Torsten Dittmann 2022-01-03 13:44:28 +01:00
commit 7230b5f6ec
4 changed files with 37 additions and 27 deletions

View file

@ -28,7 +28,7 @@ jobs:
docker pull php:8.0-cli-alpine docker pull php:8.0-cli-alpine
docker compose build --progress=plain docker compose build --progress=plain
docker compose up -d docker compose up -d
sleep 10 sleep 30
- name: Doctor - name: Doctor
run: docker compose exec -T appwrite doctor run: docker compose exec -T appwrite doctor

View file

@ -1740,7 +1740,7 @@ App::post('/v1/account/recovery')
->label('sdk.response.type', Response::CONTENT_TYPE_JSON) ->label('sdk.response.type', Response::CONTENT_TYPE_JSON)
->label('sdk.response.model', Response::MODEL_TOKEN) ->label('sdk.response.model', Response::MODEL_TOKEN)
->label('abuse-limit', 10) ->label('abuse-limit', 10)
->label('abuse-key', 'url:{url},email:{param-email}') ->label('abuse-key', ['url:{url},email:{param-email}', 'ip:{ip}'])
->param('email', '', new Email(), 'User email.') ->param('email', '', new Email(), 'User email.')
->param('url', '', function ($clients) {return new Host($clients);}, 'URL to redirect the user back to your app from the recovery email. Only URLs from hostnames in your project platform list are allowed. This requirement helps to prevent an [open redirect](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html) attack against your project API.', false, ['clients']) ->param('url', '', function ($clients) {return new Host($clients);}, 'URL to redirect the user back to your app from the recovery email. Only URLs from hostnames in your project platform list are allowed. This requirement helps to prevent an [open redirect](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html) attack against your project API.', false, ['clients'])
->inject('request') ->inject('request')

View file

@ -38,41 +38,51 @@ App::init(function ($utopia, $request, $response, $project, $user, $events, $aud
/* /*
* Abuse Check * Abuse Check
*/ */
$timeLimit = new TimeLimit($route->getLabel('abuse-key', 'url:{url},ip:{ip}'), $route->getLabel('abuse-limit', 0), $route->getLabel('abuse-time', 3600), $dbForProject); $abuseKeyLabel = $route->getLabel('abuse-key', 'url:{url},ip:{ip}');
$timeLimit $timeLimitArray = [];
->setParam('{userId}', $user->getId())
->setParam('{userAgent}', $request->getUserAgent(''))
->setParam('{ip}', $request->getIP())
->setParam('{url}', $request->getHostname().$route->getPath())
;
// TODO make sure we get array here $abuseKeyLabel = (!is_array($abuseKeyLabel)) ? [$abuseKeyLabel] : $abuseKeyLabel;
foreach ($request->getParams() as $key => $value) { // Set request params as potential abuse keys foreach ($abuseKeyLabel as $abuseKey) {
if(!empty($value)) { $timeLimit = new TimeLimit($abuseKey, $route->getLabel('abuse-limit', 0), $route->getLabel('abuse-time', 3600), $dbForProject);
$timeLimit->setParam('{param-'.$key.'}', (\is_array($value)) ? \json_encode($value) : $value); $timeLimit
} ->setParam('{userId}', $user->getId())
->setParam('{userAgent}', $request->getUserAgent(''))
->setParam('{ip}', $request->getIP())
->setParam('{url}', $request->getHostname().$route->getPath());
$timeLimitArray[] = $timeLimit;
} }
$abuse = new Abuse($timeLimit); $closestLimit = null;
if ($timeLimit->limit()) {
$response
->addHeader('X-RateLimit-Limit', $timeLimit->limit())
->addHeader('X-RateLimit-Remaining', $timeLimit->remaining())
->addHeader('X-RateLimit-Reset', $timeLimit->time() + $route->getLabel('abuse-time', 3600))
;
}
$roles = Authorization::getRoles(); $roles = Authorization::getRoles();
$isPrivilegedUser = Auth::isPrivilegedUser($roles); $isPrivilegedUser = Auth::isPrivilegedUser($roles);
$isAppUser = Auth::isAppUser($roles); $isAppUser = Auth::isAppUser($roles);
if (($abuse->check() // Route is rate-limited foreach ($timeLimitArray as $timeLimit) {
foreach ($request->getParams() as $key => $value) { // Set request params as potential abuse keys
if(!empty($value)) {
$timeLimit->setParam('{param-'.$key.'}', (\is_array($value)) ? \json_encode($value) : $value);
}
}
$abuse = new Abuse($timeLimit);
if ($timeLimit->limit() && ($timeLimit->remaining() < $closestLimit || is_null($closestLimit))) {
$closestLimit = $timeLimit->remaining();
$response
->addHeader('X-RateLimit-Limit', $timeLimit->limit())
->addHeader('X-RateLimit-Remaining', $timeLimit->remaining())
->addHeader('X-RateLimit-Reset', $timeLimit->time() + $route->getLabel('abuse-time', 3600))
;
}
if (($abuse->check() // Route is rate-limited
&& App::getEnv('_APP_OPTIONS_ABUSE', 'enabled') !== 'disabled') // Abuse is not disabled && App::getEnv('_APP_OPTIONS_ABUSE', 'enabled') !== 'disabled') // Abuse is not disabled
&& (!$isAppUser && !$isPrivilegedUser)) // User is not an admin or API key && (!$isAppUser && !$isPrivilegedUser)) // User is not an admin or API key
{ {
throw new Exception('Too many requests', 429); throw new Exception('Too many requests', 429);
}
} }
/* /*

View file

@ -217,7 +217,7 @@ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
git fetch && \ git fetch && \
git pull ' . $gitUrl . ' && \ git pull ' . $gitUrl . ' && \
rm -rf ' . $target . '/* && \ rm -rf ' . $target . '/* && \
cp -r ' . $result . '/ ' . $target . '/ && \ cp -r ' . $result . '/* ' . $target . '/ && \
git add . && \ git add . && \
git commit -m "' . $message . '" && \ git commit -m "' . $message . '" && \
git push -u origin ' . $gitBranch . ' git push -u origin ' . $gitBranch . '
@ -231,7 +231,7 @@ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
$docDirectories = $language['docDirectories'] ?? ['']; $docDirectories = $language['docDirectories'] ?? [''];
if($version === 'latest') { if ($version === 'latest') {
continue; continue;
} }