paste.chapril.org-privatebin/lib/Persistence/TrafficLimiter.php

<?php

/**
 * PrivateBin
 *
 * a zero-knowledge paste bin
 *
 * @link      https://github.com/PrivateBin/PrivateBin
 * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
 * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
 * @version   1.6.2
 */

namespace PrivateBin\Persistence;

use Exception;
use IPLib\Factory;
use IPLib\ParseStringFlag;
use PrivateBin\Configuration;
use PrivateBin\I18n;

/**
 * TrafficLimiter
 *
 * Handles traffic limiting, so no user does more than one call per 10 seconds.
 */
class TrafficLimiter extends AbstractPersistence
{
    /**
     * listed IPs are the only ones allowed to create, defaults to null
     *
     * @access private
     * @static
     * @var    string|null
     */
    private static $_creators = null;

    /**
     * listed IPs are exempted from limits, defaults to null
     *
     * @access private
     * @static
     * @var    string|null
     */
    private static $_exempted = null;

    /**
     * key to fetch IP address
     *
     * @access private
     * @static
     * @var    string
     */
    private static $_ipKey = 'REMOTE_ADDR';

    /**
     * time limit in seconds, defaults to 10s
     *
     * @access private
     * @static
     * @var    int
     */
    private static $_limit = 10;

    /**
     * set configuration options of the traffic limiter
     *
     * @access public
     * @static
     * @param Configuration $conf
     */
    public static function setConfiguration(Configuration $conf)
    {
        self::setCreators($conf->getKey('creators', 'traffic'));
        self::setExempted($conf->getKey('exempted', 'traffic'));
        self::setLimit($conf->getKey('limit', 'traffic'));

        if (($option = $conf->getKey('header', 'traffic')) !== '') {
            $httpHeader = 'HTTP_' . $option;
            if (array_key_exists($httpHeader, $_SERVER) && !empty($_SERVER[$httpHeader])) {
                self::$_ipKey = $httpHeader;
            }
        }
    }

    /**
     * set a list of creator IP(-ranges) as string
     *
     * @access public
     * @static
     * @param string $creators
     */
    public static function setCreators($creators)
    {
        self::$_creators = $creators;
    }

    /**
     * set a list of exempted IP(-ranges) as string
     *
     * @access public
     * @static
     * @param string $exempted
     */
    public static function setExempted($exempted)
    {
        self::$_exempted = $exempted;
    }

    /**
     * set the time limit in seconds
     *
     * @access public
     * @static
     * @param  int $limit
     */
    public static function setLimit($limit)
    {
        self::$_limit = $limit;
    }

    /**
     * get a HMAC of the current visitors IP address
     *
     * @access public
     * @static
     * @param  string $algo
     * @return string
     */
    public static function getHash($algo = 'sha512')
    {
        return hash_hmac($algo, $_SERVER[self::$_ipKey], ServerSalt::get());
    }

    /**
     * validate $_ipKey against configured ipranges. If matched we will ignore the ip
     *
     * @access private
     * @static
     * @param  string $ipRange
     * @return bool
     */
    private static function matchIp($ipRange = null)
    {
        if (is_string($ipRange)) {
            $ipRange = trim($ipRange);
        }
        $address = Factory::parseAddressString($_SERVER[self::$_ipKey]);
        $range   = Factory::parseRangeString(
            $ipRange,
            ParseStringFlag::IPV4_MAYBE_NON_DECIMAL | ParseStringFlag::IPV4SUBNET_MAYBE_COMPACT | ParseStringFlag::IPV4ADDRESS_MAYBE_NON_QUAD_DOTTED
        );

        // address could not be parsed, we might not be in IP space and try a string comparison instead
        if (is_null($address)) {
            return $_SERVER[self::$_ipKey] === $ipRange;
        }
        // range could not be parsed, possibly an invalid ip range given in config
        if (is_null($range)) {
            return false;
        }

        return $address->matches($range);
    }

    /**
     * make sure the IP address is allowed to perfom a request
     *
     * @access public
     * @static
     * @throws Exception
     * @return true
     */
    public static function canPass()
    {
        // if creators are defined, the traffic limiter will only allow creation
        // for these, with no limits, and skip any other rules
        if (!empty(self::$_creators)) {
            $creatorIps = explode(',', self::$_creators);
            foreach ($creatorIps as $ipRange) {
                if (self::matchIp($ipRange) === true) {
                    return true;
                }
            }
            throw new Exception(I18n::_('Your IP is not authorized to create pastes.'));
        }

        // disable limits if set to less then 1
        if (self::$_limit < 1) {
            return true;
        }

        // check if $_ipKey is exempted from ratelimiting
        if (!empty(self::$_exempted)) {
            $exIp_array = explode(',', self::$_exempted);
            foreach ($exIp_array as $ipRange) {
                if (self::matchIp($ipRange) === true) {
                    return true;
                }
            }
        }

        // used as array key, which are limited in length, hence using algo with shorter range
        $hash = self::getHash('sha256');
        $now  = time();
        $tl   = (int) self::$_store->getValue('traffic_limiter', $hash);
        self::$_store->purgeValues('traffic_limiter', $now - self::$_limit);
        if ($tl > 0 && ($tl + self::$_limit >= $now)) {
            $result = false;
        } else {
            $tl     = time();
            $result = true;
        }
        if (!self::$_store->setValue((string) $tl, 'traffic_limiter', $hash)) {
            error_log('failed to store the traffic limiter, it probably contains outdated information');
        }
        if ($result) {
            return true;
        }
        throw new Exception(I18n::_(
            'Please wait %d seconds between each post.',
            self::$_limit
        ));
    }
}
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`<?php`
Make it possible to exempt ips from the rate-limiter 2021-05-04 10:29:25 +02:00
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`/**`
renaming the fork to PrivateBin 2016-07-11 11:58:15 +02:00			`* PrivateBin`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`*`
			`* a zero-knowledge paste bin`
			`*`
renaming the fork to PrivateBin 2016-07-11 11:58:15 +02:00			`* @link https://github.com/PrivateBin/PrivateBin`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)`
Replace HTTP links with HTTPS Using this regexp: https://regex101.com/r/rZ2dE2/1 2016-07-19 13:56:52 +02:00			`* @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License`
1.6.2 release 2023-12-15 07:20:20 +01:00			`* @version 1.6.2`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`*/`
Fix style-ci errors 2016-12-12 18:43:23 +01:00
Fix typos 2016-12-12 18:49:08 +01:00			`namespace PrivateBin\Persistence;`
Renamed classes for full PSR-2 compliance, some cleanup 2016-08-09 11:54:42 +02:00
unify IP-related logic into traffic limiter 2022-02-20 11:25:19 +01:00			`use Exception;`
use namespaces 2021-05-22 11:02:54 +02:00			`use IPLib\Factory;`
replace deprecated function calls 2022-02-26 07:18:59 +01:00			`use IPLib\ParseStringFlag;`
Renamed classes for full PSR-2 compliance, some cleanup 2016-08-09 11:54:42 +02:00			`use PrivateBin\Configuration;`
unify IP-related logic into traffic limiter 2022-02-20 11:25:19 +01:00			`use PrivateBin\I18n;`
Introduce PSR-4 autoloading 2016-07-21 17:09:48 +02:00
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`/**`
Renamed classes for full PSR-2 compliance, some cleanup 2016-08-09 11:54:42 +02:00			`* TrafficLimiter`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`*`
			`* Handles traffic limiting, so no user does more than one call per 10 seconds.`
			`*/`
Renamed classes for full PSR-2 compliance, some cleanup 2016-08-09 11:54:42 +02:00			`class TrafficLimiter extends AbstractPersistence`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`{`
			`/**`
unify IP-related logic into traffic limiter 2022-02-20 11:25:19 +01:00			`* listed IPs are the only ones allowed to create, defaults to null`
cleaned up phpdoc comments, added README on how to install and use it 2015-08-16 15:55:31 +02:00			`*`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`* @access private`
			`* @static`
unify IP-related logic into traffic limiter 2022-02-20 11:25:19 +01:00			`* @var string\|null`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`*/`
unify IP-related logic into traffic limiter 2022-02-20 11:25:19 +01:00			`private static $_creators = null;`
QA 2021-05-04 11:18:06 +02:00
Make it possible to exempt ips from the rate-limiter 2021-05-04 10:29:25 +02:00			`/**`
simplify/unify naming & wording of the two types of IP lists for the traffic limiter 2022-02-20 09:09:20 +01:00			`* listed IPs are exempted from limits, defaults to null`
Make it possible to exempt ips from the rate-limiter 2021-05-04 10:29:25 +02:00			`*`
			`* @access private`
			`* @static`
address Scrutinizer issues 2021-05-22 11:30:17 +02:00			`* @var string\|null`
Make it possible to exempt ips from the rate-limiter 2021-05-04 10:29:25 +02:00			`*/`
simplify/unify naming & wording of the two types of IP lists for the traffic limiter 2022-02-20 09:09:20 +01:00			`private static $_exempted = null;`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00
preparing unit test for model refactoring, refactoring traffic limiter 2015-09-26 17:57:46 +02:00			`/**`
			`* key to fetch IP address`
			`*`
			`* @access private`
			`* @static`
			`* @var string`
			`*/`
			`private static $_ipKey = 'REMOTE_ADDR';`

Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`/**`
unify IP-related logic into traffic limiter 2022-02-20 11:25:19 +01:00			`* time limit in seconds, defaults to 10s`
			`*`
			`* @access private`
			`* @static`
			`* @var int`
			`*/`
			`private static $_limit = 10;`

			`/**`
			`* set configuration options of the traffic limiter`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`*`
			`* @access public`
			`* @static`
unify IP-related logic into traffic limiter 2022-02-20 11:25:19 +01:00			`* @param Configuration $conf`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`*/`
unify IP-related logic into traffic limiter 2022-02-20 11:25:19 +01:00			`public static function setConfiguration(Configuration $conf)`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`{`
unify IP-related logic into traffic limiter 2022-02-20 11:25:19 +01:00			`self::setCreators($conf->getKey('creators', 'traffic'));`
			`self::setExempted($conf->getKey('exempted', 'traffic'));`
			`self::setLimit($conf->getKey('limit', 'traffic'));`

			`if (($option = $conf->getKey('header', 'traffic')) !== '') {`
			`$httpHeader = 'HTTP_' . $option;`
			`if (array_key_exists($httpHeader, $_SERVER) && !empty($_SERVER[$httpHeader])) {`
			`self::$_ipKey = $httpHeader;`
			`}`
			`}`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`}`

Make it possible to exempt ips from the rate-limiter 2021-05-04 10:29:25 +02:00			`/**`
unify IP-related logic into traffic limiter 2022-02-20 11:25:19 +01:00			`* set a list of creator IP(-ranges) as string`
			`*`
			`* @access public`
			`* @static`
			`* @param string $creators`
			`*/`
			`public static function setCreators($creators)`
			`{`
			`self::$_creators = $creators;`
			`}`

			`/**`
			`* set a list of exempted IP(-ranges) as string`
Make it possible to exempt ips from the rate-limiter 2021-05-04 10:29:25 +02:00			`*`
			`* @access public`
			`* @static`
simplify/unify naming & wording of the two types of IP lists for the traffic limiter 2022-02-20 09:09:20 +01:00			`* @param string $exempted`
Make it possible to exempt ips from the rate-limiter 2021-05-04 10:29:25 +02:00			`*/`
simplify/unify naming & wording of the two types of IP lists for the traffic limiter 2022-02-20 09:09:20 +01:00			`public static function setExempted($exempted)`
Make it possible to exempt ips from the rate-limiter 2021-05-04 10:29:25 +02:00			`{`
simplify/unify naming & wording of the two types of IP lists for the traffic limiter 2022-02-20 09:09:20 +01:00			`self::$_exempted = $exempted;`
Make it possible to exempt ips from the rate-limiter 2021-05-04 10:29:25 +02:00			`}`

preparing unit test for model refactoring, refactoring traffic limiter 2015-09-26 17:57:46 +02:00			`/**`
unify IP-related logic into traffic limiter 2022-02-20 11:25:19 +01:00			`* set the time limit in seconds`
preparing unit test for model refactoring, refactoring traffic limiter 2015-09-26 17:57:46 +02:00			`*`
			`* @access public`
			`* @static`
unify IP-related logic into traffic limiter 2022-02-20 11:25:19 +01:00			`* @param int $limit`
preparing unit test for model refactoring, refactoring traffic limiter 2015-09-26 17:57:46 +02:00			`*/`
unify IP-related logic into traffic limiter 2022-02-20 11:25:19 +01:00			`public static function setLimit($limit)`
preparing unit test for model refactoring, refactoring traffic limiter 2015-09-26 17:57:46 +02:00			`{`
unify IP-related logic into traffic limiter 2022-02-20 11:25:19 +01:00			`self::$_limit = $limit;`
preparing unit test for model refactoring, refactoring traffic limiter 2015-09-26 17:57:46 +02:00			`}`

			`/**`
implemented Identicon library as new default for comment icons, made Vizhash an optional alternative, refactored Vizhash and removed string lenghtening 2016-08-10 17:41:46 +02:00			`* get a HMAC of the current visitors IP address`
preparing unit test for model refactoring, refactoring traffic limiter 2015-09-26 17:57:46 +02:00			`*`
			`* @access public`
			`* @static`
implemented Identicon library as new default for comment icons, made Vizhash an optional alternative, refactored Vizhash and removed string lenghtening 2016-08-10 17:41:46 +02:00			`* @param string $algo`
preparing unit test for model refactoring, refactoring traffic limiter 2015-09-26 17:57:46 +02:00			`* @return string`
			`*/`
implemented Identicon library as new default for comment icons, made Vizhash an optional alternative, refactored Vizhash and removed string lenghtening 2016-08-10 17:41:46 +02:00			`public static function getHash($algo = 'sha512')`
preparing unit test for model refactoring, refactoring traffic limiter 2015-09-26 17:57:46 +02:00			`{`
implemented Identicon library as new default for comment icons, made Vizhash an optional alternative, refactored Vizhash and removed string lenghtening 2016-08-10 17:41:46 +02:00			`return hash_hmac($algo, $_SERVER[self::$_ipKey], ServerSalt::get());`
preparing unit test for model refactoring, refactoring traffic limiter 2015-09-26 17:57:46 +02:00			`}`

Put the ip-matching function in a private function 2021-05-06 12:13:03 +02:00			`/**`
unify IP-related logic into traffic limiter 2022-02-20 11:25:19 +01:00			`* validate $_ipKey against configured ipranges. If matched we will ignore the ip`
Put the ip-matching function in a private function 2021-05-06 12:13:03 +02:00			`*`
			`* @access private`
			`* @static`
Put the ip-matching function in a private function 2021-05-06 12:18:44 +02:00			`* @param string $ipRange`
			`* @return bool`
Put the ip-matching function in a private function 2021-05-06 12:13:03 +02:00			`*/`
			`private static function matchIp($ipRange = null)`
			`{`
address Scrutinizer issues 2021-05-22 11:30:17 +02:00			`if (is_string($ipRange)) {`
			`$ipRange = trim($ipRange);`
			`}`
replace deprecated function calls 2022-02-26 07:18:59 +01:00			`$address = Factory::parseAddressString($_SERVER[self::$_ipKey]);`
actually support the short CIDR notation 2022-02-28 16:24:06 +01:00			`$range = Factory::parseRangeString(`
			`$ipRange,`
			`ParseStringFlag::IPV4_MAYBE_NON_DECIMAL \| ParseStringFlag::IPV4SUBNET_MAYBE_COMPACT \| ParseStringFlag::IPV4ADDRESS_MAYBE_NON_QUAD_DOTTED`
			`);`
Optimized the canPass() functions 2021-05-19 08:47:35 +02:00
testing IP exemption, handle corner cases found in testing 2021-05-22 10:59:47 +02:00			`// address could not be parsed, we might not be in IP space and try a string comparison instead`
be more precise 2021-05-22 11:35:53 +02:00			`if (is_null($address)) {`
testing IP exemption, handle corner cases found in testing 2021-05-22 10:59:47 +02:00			`return $_SERVER[self::$_ipKey] === $ipRange;`
			`}`
			`// range could not be parsed, possibly an invalid ip range given in config`
be more precise 2021-05-22 11:35:53 +02:00			`if (is_null($range)) {`
Optimized the canPass() functions 2021-05-19 09:01:45 +02:00			`return false;`
			`}`
Optimized the canPass() functions 2021-05-19 08:47:35 +02:00
ip-lib doesn't except on the matches interfaces 2021-06-13 08:26:05 +02:00			`return $address->matches($range);`
Put the ip-matching function in a private function 2021-05-06 12:13:03 +02:00			`}`

Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`/**`
unify IP-related logic into traffic limiter 2022-02-20 11:25:19 +01:00			`* make sure the IP address is allowed to perfom a request`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`*`
			`* @access public`
			`* @static`
unify IP-related logic into traffic limiter 2022-02-20 11:25:19 +01:00			`* @throws Exception`
			`* @return true`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`*/`
preparing unit test for model refactoring, refactoring traffic limiter 2015-09-26 17:57:46 +02:00			`public static function canPass()`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`{`
unify IP-related logic into traffic limiter 2022-02-20 11:25:19 +01:00			`// if creators are defined, the traffic limiter will only allow creation`
			`// for these, with no limits, and skip any other rules`
			`if (!empty(self::$_creators)) {`
			`$creatorIps = explode(',', self::$_creators);`
			`foreach ($creatorIps as $ipRange) {`
			`if (self::matchIp($ipRange) === true) {`
			`return true;`
			`}`
			`}`
			`throw new Exception(I18n::_('Your IP is not authorized to create pastes.'));`
			`}`

preparing unit test for model refactoring, refactoring traffic limiter 2015-09-26 17:57:46 +02:00			`// disable limits if set to less then 1`
Convert to PSR-2 coding style (using phpcs-fixer) 2016-07-26 08:19:35 +02:00			`if (self::$_limit < 1) {`
			`return true;`
			`}`
Put the ip-matching function in a private function 2021-05-06 12:18:44 +02:00
unify IP-related logic into traffic limiter 2022-02-20 11:25:19 +01:00			`// check if $_ipKey is exempted from ratelimiting`
simplify/unify naming & wording of the two types of IP lists for the traffic limiter 2022-02-20 09:09:20 +01:00			`if (!empty(self::$_exempted)) {`
			`$exIp_array = explode(',', self::$_exempted);`
Make it possible to exempt ips from the rate-limiter 2021-05-04 10:29:25 +02:00			`foreach ($exIp_array as $ipRange) {`
Put the ip-matching function in a private function 2021-05-06 12:18:44 +02:00			`if (self::matchIp($ipRange) === true) {`
Make it possible to exempt ips from the rate-limiter 2021-05-04 10:29:25 +02:00			`return true;`
			`}`
			`}`
			`}`
Added more configuration options, based on patch by Uli Köhler 2013-10-30 23:54:42 +01:00
small unit test refactoring, comment wording 2022-02-20 09:30:41 +01:00			`// used as array key, which are limited in length, hence using algo with shorter range`
implemented Identicon library as new default for comment icons, made Vizhash an optional alternative, refactored Vizhash and removed string lenghtening 2016-08-10 17:41:46 +02:00			`$hash = self::getHash('sha256');`
apply StyleCI recommendation 2021-06-09 19:16:22 +02:00			`$now = time();`
			`$tl = (int) self::$_store->getValue('traffic_limiter', $hash);`
folding Persistance\TrafficLimiter into Data\Filesystem 2021-06-08 07:49:22 +02:00			`self::$_store->purgeValues('traffic_limiter', $now - self::$_limit);`
			`if ($tl > 0 && ($tl + self::$_limit >= $now)) {`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`$result = false;`
			`} else {`
folding Persistance\TrafficLimiter into Data\Filesystem 2021-06-08 07:49:22 +02:00			`$tl = time();`
			`$result = true;`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`}`
log errors storing persistance 2021-06-16 05:32:45 +02:00			`if (!self::$_store->setValue((string) $tl, 'traffic_limiter', $hash)) {`
			`error_log('failed to store the traffic limiter, it probably contains outdated information');`
			`}`
apply StyleCI recommendation 2022-02-20 12:25:55 +01:00			`if ($result) {`
			`return true;`
			`}`
unify IP-related logic into traffic limiter 2022-02-20 11:25:19 +01:00			`throw new Exception(I18n::_(`
			`'Please wait %d seconds between each post.',`
			`self::$_limit`
			`));`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`}`
			`}`