Merge pull request #38275 from nextcloud/backport/38274/stable26

[stable26] fix(middleware): Also abort the request when reaching max delay in af…
nextcloud · May 16, 2023 · 7cc7984 · 7cc7984
2 parents ffa4906 + 9421172
commit 7cc7984
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 4 deletions.
diff --git a/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php b/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php
@@ -78,8 +78,16 @@ public function afterController($controller, $methodName, Response $response) {
 		if ($this->reflector->hasAnnotation('BruteForceProtection') && $response->isThrottled()) {
 			$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');
 			$ip = $this->request->getRemoteAddress();
-			$this->throttler->sleepDelay($ip, $action);
 			$this->throttler->registerAttempt($action, $ip, $response->getThrottleMetadata());
+			try {
+				$this->throttler->sleepDelayOrThrowOnMax($ip, $action);
+			} catch (MaxDelayReached $e) {
+				if ($controller instanceof OCSController) {
+					throw new OCSException($e->getMessage(), Http::STATUS_TOO_MANY_REQUESTS);
+				}
+
+				return new TooManyRequestsResponse();
+			}
 		}
 
 		return parent::afterController($controller, $methodName, $response);

diff --git a/tests/lib/AppFramework/Middleware/Security/BruteForceMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/BruteForceMiddlewareTest.php
@@ -125,7 +125,7 @@ public function testAfterControllerWithAnnotationAndThrottledRequest() {
 			->willReturn('127.0.0.1');
 		$this->throttler
 			->expects($this->once())
-			->method('sleepDelay')
+			->method('sleepDelayOrThrowOnMax')
 			->with('127.0.0.1', 'login');
 		$this->throttler
 			->expects($this->once())
@@ -157,7 +157,7 @@ public function testAfterControllerWithAnnotationAndNotThrottledRequest() {
 			->method('getRemoteAddress');
 		$this->throttler
 			->expects($this->never())
-			->method('sleepDelay');
+			->method('sleepDelayOrThrowOnMax');
 		$this->throttler
 			->expects($this->never())
 			->method('registerAttempt');
@@ -181,7 +181,7 @@ public function testAfterControllerWithoutAnnotation() {
 			->method('getRemoteAddress');
 		$this->throttler
 			->expects($this->never())
-			->method('sleepDelay');
+			->method('sleepDelayOrThrowOnMax');
 
 		/** @var Controller|\PHPUnit\Framework\MockObject\MockObject $controller */
 		$controller = $this->createMock(Controller::class);