From ce8b9c388ddaf73c6b35b7ece7fcdbf8618aee9f Mon Sep 17 00:00:00 2001 From: =?utf8?q?Felix=20D=C3=B6rre?= Date: Thu, 16 Jun 2016 11:45:14 +0200 Subject: [PATCH] add: rate limit for Login (+check Signup Limit earlier) fixes #37 Change-Id: I5927fb2c07e8eb481e03ba445110a4852e60e713 --- src/org/cacert/gigi/pages/LoginPage.java | 8 ++++++++ src/org/cacert/gigi/pages/main/RegisterPage.java | 2 +- src/org/cacert/gigi/pages/main/Signup.java | 9 +++++---- .../cacert/gigi/pages/account/TestMailManagement.java | 1 + tests/org/cacert/gigi/pages/wot/TestAssurance.java | 1 + util-testing/org/cacert/gigi/DevelLauncher.java | 2 ++ 6 files changed, 18 insertions(+), 5 deletions(-) diff --git a/src/org/cacert/gigi/pages/LoginPage.java b/src/org/cacert/gigi/pages/LoginPage.java index 97a0c29f..141c6ca1 100644 --- a/src/org/cacert/gigi/pages/LoginPage.java +++ b/src/org/cacert/gigi/pages/LoginPage.java @@ -21,12 +21,16 @@ import org.cacert.gigi.dbObjects.User; import org.cacert.gigi.localisation.Language; import org.cacert.gigi.output.template.Form; import org.cacert.gigi.output.template.TranslateCommand; +import org.cacert.gigi.pages.main.RegisterPage; import org.cacert.gigi.util.AuthorizationContext; import org.cacert.gigi.util.PasswordHash; +import org.cacert.gigi.util.RateLimit; import org.cacert.gigi.util.ServerConstants; public class LoginPage extends Page { + public static final RateLimit RATE_LIMIT = new RateLimit(10, 5 * 60 * 1000); + public class LoginForm extends Form { public LoginForm(HttpServletRequest hsr) { @@ -35,6 +39,10 @@ public class LoginPage extends Page { @Override public boolean submit(PrintWriter out, HttpServletRequest req) throws GigiApiException { + if (RegisterPage.RATE_LIMIT.isLimitExceeded(req.getRemoteAddr())) { + outputError(out, req, "Rate Limit Exceeded"); + return false; + } tryAuthWithUnpw(req); return false; } diff --git a/src/org/cacert/gigi/pages/main/RegisterPage.java b/src/org/cacert/gigi/pages/main/RegisterPage.java index 4bc2cd95..1e6b3378 100644 --- a/src/org/cacert/gigi/pages/main/RegisterPage.java +++ b/src/org/cacert/gigi/pages/main/RegisterPage.java @@ -19,7 +19,7 @@ public class RegisterPage extends Page { public static final String PATH = "/register"; - // 5 per 5 min + // 50 per 5 min public static final RateLimit RATE_LIMIT = new RateLimit(50, 5 * 60 * 1000); public RegisterPage() { diff --git a/src/org/cacert/gigi/pages/main/Signup.java b/src/org/cacert/gigi/pages/main/Signup.java index 0b9abb73..d341df28 100644 --- a/src/org/cacert/gigi/pages/main/Signup.java +++ b/src/org/cacert/gigi/pages/main/Signup.java @@ -93,6 +93,11 @@ public class Signup extends Form { @Override public synchronized boolean submit(PrintWriter out, HttpServletRequest req) { + if (RegisterPage.RATE_LIMIT.isLimitExceeded(req.getRemoteAddr())) { + outputError(out, req, "Rate Limit Exceeded"); + return false; + } + update(req); if (buildupName.getLname().trim().equals("")) { outputError(out, req, "Last name were blank."); @@ -164,10 +169,6 @@ public class Signup extends Form { if (isFailed(out)) { return false; } - if (RegisterPage.RATE_LIMIT.isLimitExceeded(req.getRemoteAddr())) { - outputError(out, req, "Rate Limit Exceeded"); - return false; - } try { run(req, pw1); } catch (SQLException e) { diff --git a/tests/org/cacert/gigi/pages/account/TestMailManagement.java b/tests/org/cacert/gigi/pages/account/TestMailManagement.java index 412e2d78..958954a3 100644 --- a/tests/org/cacert/gigi/pages/account/TestMailManagement.java +++ b/tests/org/cacert/gigi/pages/account/TestMailManagement.java @@ -21,6 +21,7 @@ public class TestMailManagement extends ClientTest { private String path = MailOverview.DEFAULT_PATH; public TestMailManagement() throws IOException { + clearCaches(); // and reset rate limits cookie = login(u.getEmail(), TEST_PASSWORD); assertTrue(isLoggedin(cookie)); } diff --git a/tests/org/cacert/gigi/pages/wot/TestAssurance.java b/tests/org/cacert/gigi/pages/wot/TestAssurance.java index 260a88bd..d626cee0 100644 --- a/tests/org/cacert/gigi/pages/wot/TestAssurance.java +++ b/tests/org/cacert/gigi/pages/wot/TestAssurance.java @@ -31,6 +31,7 @@ public class TestAssurance extends ManagedTest { @Before public void setup() throws IOException { + clearCaches(); assurerM = createUniqueName() + "@cacert-test.org"; assureeM = createUniqueName() + "@cacert-test.org"; diff --git a/util-testing/org/cacert/gigi/DevelLauncher.java b/util-testing/org/cacert/gigi/DevelLauncher.java index 5c292fab..f84d728b 100644 --- a/util-testing/org/cacert/gigi/DevelLauncher.java +++ b/util-testing/org/cacert/gigi/DevelLauncher.java @@ -32,6 +32,7 @@ import org.cacert.gigi.dbObjects.User; import org.cacert.gigi.localisation.Language; import org.cacert.gigi.output.template.Template; import org.cacert.gigi.output.template.TranslateCommand; +import org.cacert.gigi.pages.LoginPage; import org.cacert.gigi.pages.Page; import org.cacert.gigi.pages.account.certs.CertificateRequest; import org.cacert.gigi.pages.main.RegisterPage; @@ -130,6 +131,7 @@ public class DevelLauncher { public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { ObjectCache.clearAllCaches(); RegisterPage.RATE_LIMIT.bypass(); + LoginPage.RATE_LIMIT.bypass(); CertificateRequest.RATE_LIMIT.bypass(); resp.getWriter().println("All caches cleared."); System.out.println("Caches cleared."); -- 2.39.2