-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Public share protect (4) #123
Conversation
…s no LastFailedAccessTime
I tried making a public share of just a file, then trying to download that 3 times with the wrong password.
The 4 "interesting" requests are all:
accompanied by different authentication. The 3rd call with a bad password triggers all that
IMO this does not work the way it should. @karakayasemi your thoughts? |
Scenario: access to public link is not blocked after too many invalid requests | ||
Given user "Alice" has uploaded file with content "user1 file" to "/PARENT/randomfile.txt" | ||
When user "Alice" creates a public link share using the sharing API with settings | ||
| path | PARENT | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@phil-davis I am trying to figure out the issue, this one is the problematic scenario right?
Is there a mistake on column names in here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I made some changes locally to convince myself that there really is a problem.
But they are on my desktop computer, and we have had big storms and power issues here, so that is currently off and I have no power for it!
You should be able to to manually create a link share of a file, then do API calls to try and download the file, using an endpoint like:
GET /remote.php/dav/public-files/creh7Far9YK7C12/randomfile.txt
And provide a wrong password a few times.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I manually created randomfile.txt
containing the text "some data" in the UI of a user and created a public link with password "pass". Then tried to access it multiple times with the wrong password:
$ curl -u public:pwd123 http://172.17.0.1:8080/remote.php/dav/public-files/3M5BhjTb4wCLQTC/randomfile.txt
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
<s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
<s:message>Username or password was incorrect, No public access to this resource., Username or password was incorrect, Username or password was incorrect</s:message>
</d:error>
$ curl -u public:pwd123 http://172.17.0.1:8080/remote.php/dav/public-files/3M5BhjTb4wCLQTC/randomfile.txt
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
<s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
<s:message>Username or password was incorrect, No public access to this resource., Username or password was incorrect, Username or password was incorrect</s:message>
</d:error>
$ curl -u public:pwd123 http://172.17.0.1:8080/remote.php/dav/public-files/3M5BhjTb4wCLQTC/randomfile.txt
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
<s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
<s:message>Username or password was incorrect, No public access to this resource., Username or password was incorrect, Username or password was incorrect</s:message>
</d:error>
$ curl -u public:pwd123 http://172.17.0.1:8080/remote.php/dav/public-files/3M5BhjTb4wCLQTC/randomfile.txt
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
<s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
<s:message>Too many failed login attempts. Try again in 5 minutes.</s:message>
</d:error>
And then access it with the correct password:
$ curl -u public:pass http://172.17.0.1:8080/remote.php/dav/public-files/3M5BhjTb4wCLQTC/randomfile.txt
some data
The file downloaded. IMO the download should have been blocked.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All the brute force protection logic is relying on events that emitted from core endpoints. If it is not working in any endpoint, we may have missed emitting some events from this endpoint.
I will look at it and report back here. By the way, thanks for driving this pr to forward.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@phil-davis As I suspect, DAV accesses are not emitting the necessary events for link share auth. I opened a core PR to fix it in here: owncloud/core#37430
Updated tests have been added to #90 |
After rebase of PR #90 just now, this is on top with the acceptance test commit cherry-picked from PR #111