fix: Add brute force protection to form endpoints

Endpoints that query for forms are now protected against brute force attacks to find valid forms, invalid hashes or IDs. Signed-off-by: Ferdinand Thiessen <[email protected]>
nextcloud · Aug 7, 2024 · 5b50cec · 5b50cec
1 parent 75f51b1
commit 5b50cec
Showing 1 changed file with 15 additions and 8 deletions.
diff --git a/lib/Controller/ApiController.php b/lib/Controller/ApiController.php
@@ -48,6 +48,8 @@
 
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Db\IMapperException;
+use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\BruteForceProtection;
 use OCP\AppFramework\Http\DataDownloadResponse;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\Response;
@@ -132,23 +134,23 @@ public function getSharedForms(): DataResponse {
 	 * @CORS
 	 * @NoAdminRequired
 	 *
-	 * Get a partial form by its hash. Implicitely checks, if the user has access.
+	 * Get a partial form by its hash. Implicitly checks, if the user has access.
 	 *
 	 * @param string $hash The form hash
 	 * @return DataResponse
-	 * @throws OCSBadRequestException if forbidden or not found
 	 */
+	#[BruteForceProtection(action: 'form')]
 	public function getPartialForm(string $hash): DataResponse {
 		try {
 			$form = $this->formMapper->findByHash($hash);
 		} catch (IMapperException $e) {
 			$this->logger->debug('Could not find form');
-			throw new OCSBadRequestException();
+			return $this->throttledResponse(Http::STATUS_NOT_FOUND);
 		}
 
 		if (!$this->formsService->hasUserAccess($form)) {
 			$this->logger->debug('User has no permissions to get this form');
-			throw new OCSForbiddenException();
+			return $this->throttledResponse(Http::STATUS_NOT_FOUND);
 		}
 
 		return new DataResponse($this->formsService->getPartialFormArray($form));
@@ -162,21 +164,20 @@ public function getPartialForm(string $hash): DataResponse {
 	 *
 	 * @param int $id FormId
 	 * @return DataResponse
-	 * @throws OCSBadRequestException
-	 * @throws OCSForbiddenException
 	 */
+	#[BruteForceProtection(action: 'form')]
 	public function getForm(int $id): DataResponse {
 		try {
 			$form = $this->formMapper->findById($id);
 			$formData = $this->formsService->getForm($form);
 		} catch (IMapperException $e) {
 			$this->logger->debug('Could not find form');
-			throw new OCSBadRequestException();
+			return $this->throttledResponse(Http::STATUS_NOT_FOUND);
 		}
 
 		if (!$this->formsService->hasUserAccess($form)) {
 			$this->logger->debug('User has no permissions to get this form');
-			throw new OCSForbiddenException();
+			return $this->throttledResponse(Http::STATUS_NOT_FOUND);
 		}
 
 		return new DataResponse($formData);
@@ -1484,4 +1485,10 @@ private function getFormIfAllowed(int $id): Form {
 		}
 		return $form;
 	}
+
+	private function throttledResponse(int $status): DataResponse {
+		$response = new DataResponse([], $status);
+		$response->throttle();
+		return $response;
+	}
 }