unify IP-related logic into traffic limiter

2025-08-02 19:46:09 -04:00 · 2022-02-20 11:25:19 +01:00 · 2022-02-20 11:25:19 +01:00 · 1034d4038e
commit 1034d4038e
parent dbe8debe30
3 changed files with 101 additions and 60 deletions
--- a/lib/Persistence/TrafficLimiter.php
+++ b/lib/Persistence/TrafficLimiter.php
@ -13,8 +13,10 @@

 namespace PrivateBin\Persistence;

+use Exception;
 use IPLib\Factory;
 use PrivateBin\Configuration;
+use PrivateBin\I18n;

 /**
 * TrafficLimiter
@ -24,13 +26,13 @@ use PrivateBin\Configuration;
 class TrafficLimiter extends AbstractPersistence
 {
    /**
-     * time limit in seconds, defaults to 10s
+     * listed IPs are the only ones allowed to create, defaults to null
     *
     * @access private
     * @static
-     * @var    int
+     * @var    string|null
     */
-    private static $_limit = 10;
+    private static $_creators = null;

    /**
     * listed IPs are exempted from limits, defaults to null
@ -51,19 +53,49 @@ class TrafficLimiter extends AbstractPersistence
    private static $_ipKey = 'REMOTE_ADDR';

    /**
-     * set the time limit in seconds
+     * time limit in seconds, defaults to 10s
+     *
+     * @access private
+     * @static
+     * @var    int
+     */
+    private static $_limit = 10;
+
+    /**
+     * set configuration options of the traffic limiter
     *
     * @access public
     * @static
-     * @param  int $limit
+     * @param Configuration $conf
     */
-    public static function setLimit($limit)
+    public static function setConfiguration(Configuration $conf)
    {
-        self::$_limit = $limit;
+        self::setCreators($conf->getKey('creators', 'traffic'));
+        self::setExempted($conf->getKey('exempted', 'traffic'));
+        self::setLimit($conf->getKey('limit', 'traffic'));
+
+        if (($option = $conf->getKey('header', 'traffic')) !== '') {
+            $httpHeader = 'HTTP_' . $option;
+            if (array_key_exists($httpHeader, $_SERVER) && !empty($_SERVER[$httpHeader])) {
+                self::$_ipKey = $httpHeader;
+            }
+        }
    }

    /**
-     * set a list of IP(-ranges) as string
+     * set a list of creator IP(-ranges) as string
+     *
+     * @access public
+     * @static
+     * @param string $creators
+     */
+    public static function setCreators($creators)
+    {
+        self::$_creators = $creators;
+    }
+
+    /**
+     * set a list of exempted IP(-ranges) as string
     *
     * @access public
     * @static
@ -75,23 +107,15 @@ class TrafficLimiter extends AbstractPersistence
    }

    /**
-     * set configuration options of the traffic limiter
+     * set the time limit in seconds
     *
     * @access public
     * @static
-     * @param Configuration $conf
+     * @param  int $limit
     */
-    public static function setConfiguration(Configuration $conf)
+    public static function setLimit($limit)
    {
-        self::setLimit($conf->getKey('limit', 'traffic'));
-        self::setExempted($conf->getKey('exempted', 'traffic'));
-
-        if (($option = $conf->getKey('header', 'traffic')) !== '') {
-            $httpHeader = 'HTTP_' . $option;
-            if (array_key_exists($httpHeader, $_SERVER) && !empty($_SERVER[$httpHeader])) {
-                self::$_ipKey = $httpHeader;
-            }
-        }
+        self::$_limit = $limit;
    }

    /**
@ -108,7 +132,7 @@ class TrafficLimiter extends AbstractPersistence
    }

    /**
-     * Validate $_ipKey against configured ipranges. If matched we will ignore the ip
+     * validate $_ipKey against configured ipranges. If matched we will ignore the ip
     *
     * @access private
     * @static
@ -136,22 +160,33 @@ class TrafficLimiter extends AbstractPersistence
    }

    /**
-     * traffic limiter
-     *
-     * Make sure the IP address makes at most 1 request every 10 seconds.
+     * make sure the IP address is allowed to perfom a request
     *
     * @access public
     * @static
-     * @return bool
+     * @throws Exception
+     * @return true
     */
    public static function canPass()
    {
+        // if creators are defined, the traffic limiter will only allow creation
+        // for these, with no limits, and skip any other rules
+        if (!empty(self::$_creators)) {
+            $creatorIps = explode(',', self::$_creators);
+            foreach ($creatorIps as $ipRange) {
+                if (self::matchIp($ipRange) === true) {
+                    return true;
+                }
+            }
+            throw new Exception(I18n::_('Your IP is not authorized to create pastes.'));
+        }
+
        // disable limits if set to less then 1
        if (self::$_limit < 1) {
            return true;
        }

-        // Check if $_ipKey is exempted from ratelimiting
+        // check if $_ipKey is exempted from ratelimiting
        if (!empty(self::$_exempted)) {
            $exIp_array = explode(',', self::$_exempted);
            foreach ($exIp_array as $ipRange) {
@ -175,6 +210,10 @@ class TrafficLimiter extends AbstractPersistence
        if (!self::$_store->setValue((string) $tl, 'traffic_limiter', $hash)) {
            error_log('failed to store the traffic limiter, it probably contains outdated information');
        }
-        return $result;
+        if ($result) return true;
+        throw new Exception(I18n::_(
+            'Please wait %d seconds between each post.',
+            self::$_limit
+        ));
    }
 }