fix(dav): Limit share/unshare requests per user

kesselb · kesselb · commit b76a3baf9f2e · 2026-04-21T11:23:05.000+02:00
AI-assisted: OpenCode (gpt-5.4)

Signed-off-by: Daniel Kesselberg &lt;mail@danielkesselberg.de&gt;
diff --git a/apps/dav/composer/composer/autoload_classmap.php b/apps/dav/composer/composer/autoload_classmap.php
@@ -268,6 +268,7 @@
     'OCA\\DAV\\DAV\\GroupPrincipalBackend' => $baseDir . '/../lib/DAV/GroupPrincipalBackend.php',
     'OCA\\DAV\\DAV\\PublicAuth' => $baseDir . '/../lib/DAV/PublicAuth.php',
     'OCA\\DAV\\DAV\\RemoteUserPrincipalBackend' => $baseDir . '/../lib/DAV/RemoteUserPrincipalBackend.php',
+    'OCA\\DAV\\DAV\\Security\\RateLimiting' => $baseDir . '/../lib/DAV/Security/RateLimiting.php',
     'OCA\\DAV\\DAV\\Sharing\\Backend' => $baseDir . '/../lib/DAV/Sharing/Backend.php',
     'OCA\\DAV\\DAV\\Sharing\\IShareable' => $baseDir . '/../lib/DAV/Sharing/IShareable.php',
     'OCA\\DAV\\DAV\\Sharing\\Plugin' => $baseDir . '/../lib/DAV/Sharing/Plugin.php',
diff --git a/apps/dav/composer/composer/autoload_static.php b/apps/dav/composer/composer/autoload_static.php
@@ -283,6 +283,7 @@ class ComposerStaticInitDAV
         'OCA\\DAV\\DAV\\GroupPrincipalBackend' => __DIR__ . '/..' . '/../lib/DAV/GroupPrincipalBackend.php',
         'OCA\\DAV\\DAV\\PublicAuth' => __DIR__ . '/..' . '/../lib/DAV/PublicAuth.php',
         'OCA\\DAV\\DAV\\RemoteUserPrincipalBackend' => __DIR__ . '/..' . '/../lib/DAV/RemoteUserPrincipalBackend.php',
+        'OCA\\DAV\\DAV\\Security\\RateLimiting' => __DIR__ . '/..' . '/../lib/DAV/Security/RateLimiting.php',
         'OCA\\DAV\\DAV\\Sharing\\Backend' => __DIR__ . '/..' . '/../lib/DAV/Sharing/Backend.php',
         'OCA\\DAV\\DAV\\Sharing\\IShareable' => __DIR__ . '/..' . '/../lib/DAV/Sharing/IShareable.php',
         'OCA\\DAV\\DAV\\Sharing\\Plugin' => __DIR__ . '/..' . '/../lib/DAV/Sharing/Plugin.php',
diff --git a/apps/dav/lib/DAV/Security/RateLimiting.php b/apps/dav/lib/DAV/Security/RateLimiting.php
@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\DAV\DAV\Security;
+
+use OCA\DAV\Connector\Sabre\Exception\TooManyRequests;
+use OCP\IAppConfig;
+use OCP\IUserManager;
+use OCP\Security\RateLimiting\ILimiter;
+use OCP\Security\RateLimiting\IRateLimitExceededException;
+
+class RateLimiting {
+
+	public function __construct(
+		private readonly ILimiter $limiter,
+		private readonly IUserManager $userManager,
+		private readonly IAppConfig $config,
+		private readonly ?string $userId,
+	) {
+	}
+
+	/**
+	 * @throws TooManyRequests
+	 */
+	public function check(): void {
+		if ($this->userId === null) {
+			return;
+		}
+
+		$user = $this->userManager->get($this->userId);
+		if ($user === null) {
+			return;
+		}
+
+		$identifier = 'share-addressbook-or-calendar';
+		$userLimit = $this->config->getValueInt('dav', 'rateLimitShareAddressbookOrCalendar', 20);
+		$userPeriod = $this->config->getValueInt('dav', 'rateLimitPeriodShareAddressbookOrCalendar', 3600);
+
+		try {
+			$this->limiter->registerUserRequest($identifier, $userLimit, $userPeriod, $user);
+		} catch (IRateLimitExceededException $e) {
+			throw new TooManyRequests('Too many addressbook or calendar share requests', 0, $e);
+		}
+	}
+}
diff --git a/apps/dav/lib/DAV/Sharing/Plugin.php b/apps/dav/lib/DAV/Sharing/Plugin.php
@@ -10,6 +10,7 @@
 use OCA\DAV\CalDAV\CalDavBackend;
 use OCA\DAV\CalDAV\CalendarHome;
 use OCA\DAV\Connector\Sabre\Auth;
+use OCA\DAV\DAV\Security\RateLimiting;
 use OCA\DAV\DAV\Sharing\Xml\Invite;
 use OCA\DAV\DAV\Sharing\Xml\ShareRequest;
 use OCP\AppFramework\Http;
@@ -29,17 +30,11 @@ class Plugin extends ServerPlugin {
 	public const NS_OWNCLOUD = 'http://owncloud.org/ns';
 	public const NS_NEXTCLOUD = 'http://nextcloud.com/ns';
 
-	/**
-	 * Plugin constructor.
-	 *
-	 * @param Auth $auth
-	 * @param IRequest $request
-	 * @param IConfig $config
-	 */
 	public function __construct(
 		private Auth $auth,
 		private IRequest $request,
 		private IConfig $config,
+		private RateLimiting $rateLimiting,
 	) {
 	}
 
@@ -137,6 +132,7 @@ public function httpPost(RequestInterface $request, ResponseInterface $response)
 			// calendar.
 			case '{' . self::NS_OWNCLOUD . '}share':
 
+				$this->rateLimiting->check();
 				$this->validateShareRequest($message);
 
 				// We can only deal with IShareableCalendar objects
@@ -160,7 +156,7 @@ public function httpPost(RequestInterface $request, ResponseInterface $response)
 						return;
 					}
 				}
-				
+
 				$node->updateShares($message->set, $message->remove);
 
 				$response->setStatus(Http::STATUS_OK);
diff --git a/apps/dav/lib/Server.php b/apps/dav/lib/Server.php
@@ -56,6 +56,7 @@
 use OCA\DAV\Connector\Sabre\ZipFolderPlugin;
 use OCA\DAV\DAV\CustomPropertiesBackend;
 use OCA\DAV\DAV\PublicAuth;
+use OCA\DAV\DAV\Security\RateLimiting;
 use OCA\DAV\DAV\ViewOnlyPlugin;
 use OCA\DAV\Db\PropertyMapper;
 use OCA\DAV\Events\SabrePluginAddEvent;
@@ -200,7 +201,7 @@ public function __construct(
 
 		// calendar plugins
 		if ($this->requestIsForSubtree(['calendars', 'public-calendars', 'system-calendars', 'principals'])) {
-			$this->server->addPlugin(new DAV\Sharing\Plugin($authBackend, \OCP\Server::get(IRequest::class), \OCP\Server::get(IConfig::class)));
+			$this->server->addPlugin(new DAV\Sharing\Plugin($authBackend, \OCP\Server::get(IRequest::class), \OCP\Server::get(IConfig::class), \OCP\Server::get(RateLimiting::class)));
 			$this->server->addPlugin(new \OCA\DAV\CalDAV\Plugin());
 			$this->server->addPlugin(new ICSExportPlugin(\OCP\Server::get(IConfig::class), $logger));
 			$this->server->addPlugin(new \OCA\DAV\CalDAV\Schedule\Plugin(\OCP\Server::get(IConfig::class), \OCP\Server::get(LoggerInterface::class), \OCP\Server::get(DefaultCalendarValidator::class)));
@@ -223,7 +224,7 @@ public function __construct(
 
 		// addressbook plugins
 		if ($this->requestIsForSubtree(['addressbooks', 'principals'])) {
-			$this->server->addPlugin(new DAV\Sharing\Plugin($authBackend, \OCP\Server::get(IRequest::class), \OCP\Server::get(IConfig::class)));
+			$this->server->addPlugin(new DAV\Sharing\Plugin($authBackend, \OCP\Server::get(IRequest::class), \OCP\Server::get(IConfig::class), \OCP\Server::get(RateLimiting::class)));
 			$this->server->addPlugin(new \OCA\DAV\CardDAV\Plugin());
 			$this->server->addPlugin(new VCFExportPlugin());
 			$this->server->addPlugin(new MultiGetExportPlugin());
diff --git a/apps/dav/tests/unit/CardDAV/Sharing/PluginTest.php b/apps/dav/tests/unit/CardDAV/Sharing/PluginTest.php
diff --git a/apps/dav/tests/unit/DAV/Security/RateLimitingTest.php b/apps/dav/tests/unit/DAV/Security/RateLimitingTest.php
@@ -0,0 +1,102 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\DAV\Tests\unit\DAV\Security;
+
+use OCA\DAV\Connector\Sabre\Exception\TooManyRequests;
+use OCA\DAV\DAV\Security\RateLimiting;
+use OCP\IAppConfig;
+use OCP\IUser;
+use OCP\IUserManager;
+use OCP\Security\RateLimiting\ILimiter;
+use OCP\Security\RateLimiting\IRateLimitExceededException;
+use PHPUnit\Framework\MockObject\MockObject;
+use Test\TestCase;
+
+class RateLimitingTest extends TestCase {
+	private ILimiter&MockObject $limiter;
+	private IUserManager&MockObject $userManager;
+	private IAppConfig&MockObject $config;
+	private RateLimiting $rateLimiting;
+	private string $userId = 'user123';
+
+	protected function setUp(): void {
+		parent::setUp();
+
+		$this->limiter = $this->createMock(ILimiter::class);
+		$this->userManager = $this->createMock(IUserManager::class);
+		$this->config = $this->createMock(IAppConfig::class);
+		$this->rateLimiting = new RateLimiting(
+			$this->limiter,
+			$this->userManager,
+			$this->config,
+			$this->userId,
+		);
+	}
+
+	public function testNoUserObject(): void {
+		$this->userManager->expects(self::once())
+			->method('get')
+			->with($this->userId)
+			->willReturn(null);
+		$this->limiter->expects(self::never())
+			->method('registerUserRequest');
+
+		$this->rateLimiting->check();
+	}
+
+	public function testRegisterShareRequest(): void {
+		$user = $this->createMock(IUser::class);
+		$this->userManager->expects(self::once())
+			->method('get')
+			->with($this->userId)
+			->willReturn($user);
+		$this->config->method('getValueInt')
+			->willReturnCallback(static function (string $app, string $key, int $default): int {
+				return match ($key) {
+					'rateLimitShareAddressbookOrCalendar' => 7,
+					'rateLimitPeriodShareAddressbookOrCalendar' => 600,
+					default => $default,
+				};
+			});
+		$this->limiter->expects(self::once())
+			->method('registerUserRequest')
+			->with(
+				'share-addressbook-or-calendar',
+				7,
+				600,
+				$user,
+			);
+
+		$this->rateLimiting->check();
+	}
+
+	public function testShareRequestRateLimitExceeded(): void {
+		$user = $this->createMock(IUser::class);
+		$this->userManager->expects(self::once())
+			->method('get')
+			->with($this->userId)
+			->willReturn($user);
+		$this->config->method('getValueInt')
+			->willReturnArgument(2);
+		$this->limiter->expects(self::once())
+			->method('registerUserRequest')
+			->with(
+				'share-addressbook-or-calendar',
+				20,
+				3600,
+				$user,
+			)
+			->willThrowException($this->createMock(IRateLimitExceededException::class));
+
+		$this->expectException(TooManyRequests::class);
+
+		$this->rateLimiting->check();
+	}
+}
