lindeas
/
jilo-web
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases 5 Wiki Activity

Adds ratelimiting to some pages

main
Yasen Pramatarov 2025-02-17 15:15:05 +02:00
parent c465fbfdf4
commit 144dd6e742
7 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app/pages/agents.php
View File

@ -47,6 +47,11 @@ function isCacheExpired($agentId) {
// Handle POST request (saving to cache) // Handle POST request (saving to cache)
if ($_SERVER['REQUEST_METHOD'] === 'POST') { if ($_SERVER['REQUEST_METHOD'] === 'POST') {
// Apply rate limiting for adding new contacts
require '../app/includes/rate_limit_middleware.php';
checkRateLimit($dbWeb, 'contact', $user_id);
// Validate agent ID for POST operations // Validate agent ID for POST operations
if ($agentId === false || $agentId === null) { if ($agentId === false || $agentId === null) {
Feedback::flash('ERROR', 'DEFAULT', 'Invalid agent ID format'); Feedback::flash('ERROR', 'DEFAULT', 'Invalid agent ID format');

6
app/pages/config.php
View File

@ -11,9 +11,10 @@ include '../app/includes/feedback-get.php';
include '../app/includes/feedback-show.php'; include '../app/includes/feedback-show.php';
require '../app/classes/config.php'; require '../app/classes/config.php';
$configObject = new Config(); $configObject = new Config();
require '../app/includes/rate_limit_middleware.php';
// For AJAX requests // For AJAX requests
$isAjax = !empty($_SERVER['HTTP_X_REQUESTED_WITH']) && $isAjax = !empty($_SERVER['HTTP_X_REQUESTED_WITH']) &&
strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest'; strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest';
@ -26,6 +27,9 @@ if (!$isWritable) {
} }
if ($_SERVER['REQUEST_METHOD'] === 'POST') { if ($_SERVER['REQUEST_METHOD'] === 'POST') {
// Apply rate limiting
checkRateLimit($dbWeb, 'config', $user_id);
// Ensure no output before this point // Ensure no output before this point
ob_clean(); ob_clean();

4
app/pages/login.php
View File

@ -27,6 +27,10 @@ try {
if ( $_SERVER['REQUEST_METHOD'] == 'POST' ) { if ( $_SERVER['REQUEST_METHOD'] == 'POST' ) {
try { try {
// apply page rate limiting
require_once '../app/includes/rate_limit_middleware.php';
checkRateLimit($dbWeb, 'login', null); // null since user is not logged in yet
// Validate form data // Validate form data
$security = SecurityHelper::getInstance(); $security = SecurityHelper::getInstance();
$formData = $security->sanitizeArray($_POST, ['username', 'password', 'remember_me', 'csrf_token']); $formData = $security->sanitizeArray($_POST, ['username', 'password', 'remember_me', 'csrf_token']);

2
app/pages/profile.php
View File

@ -21,7 +21,7 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
// Apply rate limiting for profile operations // Apply rate limiting for profile operations
require_once '../app/includes/rate_limit_middleware.php'; require_once '../app/includes/rate_limit_middleware.php';
checkRateLimit($db, 'profile', $user_id); checkRateLimit($dbWeb, 'profile', $user_id);
$item = $_REQUEST['item'] ?? ''; $item = $_REQUEST['item'] ?? '';

5
app/pages/register.php
View File

@ -17,6 +17,11 @@ if ($config['registration_enabled'] == true) {
$dbWeb = connectDB($config); $dbWeb = connectDB($config);
if ( $_SERVER['REQUEST_METHOD'] == 'POST' ) { if ( $_SERVER['REQUEST_METHOD'] == 'POST' ) {
// Apply rate limiting
require '../app/includes/rate_limit_middleware.php';
checkRateLimit($dbWeb, 'register');
require_once '../app/classes/validator.php'; require_once '../app/classes/validator.php';
$validator = new Validator($_POST); $validator = new Validator($_POST);

7
app/pages/security.php
View File

@ -24,6 +24,11 @@ $rateLimiter = new RateLimiter($dbWeb);
// Handle form submissions // Handle form submissions
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action'])) { if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action'])) {
require_once '../app/classes/validator.php'; require_once '../app/classes/validator.php';
// Apply rate limiting for security operations
require_once '../app/includes/rate_limit_middleware.php';
checkRateLimit($dbWeb, 'security', $user_id);
$action = $_POST['action']; $action = $_POST['action'];
$validator = new Validator($_POST); $validator = new Validator($_POST);
@ -147,7 +152,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action'])) {
// Always show rate limit info message for rate limiting section // Always show rate limit info message for rate limiting section
if ($section === 'ratelimit') { if ($section === 'ratelimit') {
$messages[] = ['category' => 'SECURITY', 'key' => 'RATE_LIMIT_INFO']; $system_messages[] = ['category' => 'SECURITY', 'key' => 'RATE_LIMIT_INFO'];
} }
// Get current lists // Get current lists

4
app/pages/settings.php
View File

@ -26,6 +26,10 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
* Handles form submissions from editing * Handles form submissions from editing
*/ */
// Apply rate limiting for profile operations
require_once '../app/includes/rate_limit_middleware.php';
checkRateLimit($dbWeb, 'profile', $user_id);
// Get hash from URL if present // Get hash from URL if present
$hash = parse_url($_SERVER['REQUEST_URI'], PHP_URL_FRAGMENT) ?? ''; $hash = parse_url($_SERVER['REQUEST_URI'], PHP_URL_FRAGMENT) ?? '';
$redirectUrl = htmlspecialchars($app_root) . '?page=settings'; $redirectUrl = htmlspecialchars($app_root) . '?page=settings';