new: [registration] added optional registration flood protection

- As reported by Dawid Czarnecki from Zigrin Security
2022-02-07 02:03:41 +01:00 · 2022-02-07 02:03:41 +01:00 · d45a4dc499
parent e6643365d2
commit d45a4dc499
2 changed files with 27 additions and 0 deletions
--- a/src/Controller/UsersController.php
+++ b/src/Controller/UsersController.php
@ -311,6 +311,9 @@ class UsersController extends AppController
        if (empty(Configure::read('security.registration.self-registration'))) {
            throw new UnauthorizedException(__('User self-registration is not open.'));
        }
+        if (!empty(Configure::read('security.registration.floodProtection'))) {
+            $this->FloodProtection->check('register');
+        }
        if ($this->request->is('post')) {
            $data = $this->request->getData();
            $this->InboxProcessors = TableRegistry::getTableLocator()->get('InboxProcessors');
@ -327,6 +330,9 @@ class UsersController extends AppController
                ],
            ];
            $processorResult = $processor->create($data);
+            if (!empty(Configure::read('security.registration.floodProtection'))) {
+                $this->FloodProtection->set('register');
+            }
            return $processor->genHTTPReply($this, $processorResult, ['controller' => 'Inbox', 'action' => 'index']);
        }
        $this->viewBuilder()->setLayout('login');
--- a/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php
+++ b/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php
@ -274,6 +274,21 @@ class CerebrateSettingsProvider extends BaseSettingsProvider
                ]
            ],
            'Security' => [
+                'Logging' => [
+                    'Logging' => [
+                        'security.logging.ip_source' => [
+                            'name' => __('Set IP source'),
+                            'type' => 'select',
+                            'description' => __('Select where the harvested IP should come from. This defaults to REMOTE_ADDR, but for instances behind a proxy HTTP_X_FORWARDED_FOR or HTTP_CLIENT_IP might make more sense.'),
+                            'default' => 'REMOTE_ADDR',
+                            'options' => [
+                                'REMOTE_ADDR' => 'REMOTE_ADDR',
+                                'HTTP_X_FORWARDED_FOR' => 'HTTP_X_FORWARDED_FOR',
+                                'HTTP_CLIENT_IP' => __('HTTP_CLIENT_IP'),
+                            ],
+                        ],
+                    ]
+                ],
                'Registration' => [
                    'Registration' => [
                        'security.registration.self-registration' => [
@ -282,6 +297,12 @@ class CerebrateSettingsProvider extends BaseSettingsProvider
                            'description' => __('Enable the self-registration feature where user can request account creation. Admin can view the request and accept it in the application inbox.'),
                            'default' => false,
                        ],
+                        'security.registration.floodProtection' => [
+                            'name' => __('Enable registration flood-protection'),
+                            'type' => 'boolean',
+                            'description' => __('Enabling this setting will only allow 5 registrations / IP address every 15 minutes (rolling time-frame).'),
+                            'default' => false,
+                        ],
                    ]
                ],
                'Development' => [