rate limiter for export downloads

kprovance · kprovance · commit 88228a49f493 · 2026-01-05T22:08:03.000-05:00
Signed-off-by: Kev Provance &lt;kevin.provance@gmail.com&gt;
diff --git a/redux-core/class-redux-core.php b/redux-core/class-redux-core.php
@@ -235,11 +235,12 @@ public static function plugins_loaded() {}
 		 */
 		private function init() {
 			self::$server = array(
-				'SERVER_SOFTWARE' => '',
-				'REMOTE_ADDR'     => Redux_Helpers::is_local_host() ? '127.0.0.1' : '',
-				'HTTP_USER_AGENT' => '',
-				'HTTP_HOST'       => '',
-				'REQUEST_URI'     => '',
+				'SERVER_SOFTWARE'      => '',
+				'REMOTE_ADDR'          => Redux_Helpers::is_local_host() ? '127.0.0.1' : '',
+				'HTTP_USER_AGENT'      => '',
+				'HTTP_HOST'            => '',
+				'REQUEST_URI'          => '',
+				'HTTP_X_FORWARDED_FOR' => '',
 			);
 
 			// phpcs:disable WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase
@@ -258,7 +259,9 @@ private function init() {
 			if ( ! empty( $_SERVER['REQUEST_URI'] ) ) {
 				self::$server['REQUEST_URI'] = sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) );
 			}
-
+			if ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
+				self::$server['HTTP_X_FORWARDED_FOR'] = sanitize_text_field( wp_unslash( $_SERVER['HTTP_X_FORWARDED_FOR'] ) );
+			}
 			// phpcs:enable
 
 			self::$dir = trailingslashit( wp_normalize_path( dirname( realpath( __FILE__ ) ) ) );
diff --git a/redux-core/inc/classes/class-redux-rate-limiter.php b/redux-core/inc/classes/class-redux-rate-limiter.php
@@ -0,0 +1,86 @@
+<?php // phpcs:ignore WordPress.Files.FileName
+
+/**
+ * Redux Rate Limiter Class
+ *
+ * @class Secure Token
+ * @version 4.5.10
+ * @package Redux Framework/Classes
+ */
+
+defined( 'ABSPATH' ) || exit;
+
+if ( ! class_exists( 'Redux_Rate_Limiter', false ) ) {
+
+	/**
+	 * Redux_Rate_Limiter.
+	 *
+	 * @since 4.5.10
+	 */
+	class Redux_Rate_Limiter {
+
+		/**
+		 * Limits for functions that require them.
+		 *
+		 * @var array[]
+		 */
+		private static array $limits = array(
+			'download_options' => array(
+				'max'    => 5,
+				'window' => 300,
+			),  // 5 per 5 minutes.
+			'color_schemes'    => array(
+				'max'    => 5,
+				'window' => 300,
+			), // 5 per 5 minutes.
+		);
+
+		/**
+		 * Check for the rate limit.
+		 *
+		 * @param string $action Function to check.
+		 *
+		 * @return bool
+		 */
+		public static function check( string $action ): bool {
+			if ( ! isset( self::$limits[ $action ] ) ) {
+				return true;
+			}
+
+			$limit = self::$limits[ $action ];
+
+			$ip  = self::get_client_ip();
+			$key = 'redux_rate_' . md5( $action . $ip );
+
+			$current = get_transient( $key );
+
+			if ( false === $current ) {
+				set_transient( $key, 1, $limit['window'] );
+				return true;
+			}
+
+			if ( $current >= $limit['max'] ) {
+				return false; // Rate limited.
+			}
+
+			set_transient( $key, $current + 1, $limit['window'] );
+			return true;
+		}
+
+		/**
+		 * Get the client's IP address.
+		 *
+		 * @return mixed|string
+		 */
+		private static function get_client_ip() {
+			$ip = Redux_Core::$server['REMOTE_ADDR'];
+
+			if ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
+				$ips = explode( ',', Redux_Core::$server['HTTP_X_FORWARDED_FOR'] );
+				$ip  = trim( $ips[0] );
+			}
+
+			return filter_var( $ip, FILTER_VALIDATE_IP ) ?? '0.0.0.0';
+		}
+	}
+}
diff --git a/redux-core/inc/extensions/color_scheme/class-redux-extension-color-scheme.php b/redux-core/inc/extensions/color_scheme/class-redux-extension-color-scheme.php
@@ -555,10 +555,14 @@ private function import_schemes() {
 		 * @return      void
 		 */
 		private function download_schemes() {
+			if ( ! Redux_Rate_Limiter::check( 'color_schemes' ) ) {
+				wp_die( 'Rate limit exceeded. Please try again later.' );
+			}
+
 			Redux_Color_Scheme_Functions::$parent   = $this->parent;
 			Redux_Color_Scheme_Functions::$field_id = $this->field_id;
 
-			// Read contents of scheme file.
+			// Read the contents of the scheme file.
 			$content = Redux_Color_Scheme_Functions::read_scheme_file();
 			$content = wp_json_encode( $content );
 
diff --git a/redux-core/inc/extensions/import_export/class-redux-extension-import-export.php b/redux-core/inc/extensions/import_export/class-redux-extension-import-export.php
@@ -108,6 +108,10 @@ public function download_options() {
 				wp_die( 'Invalid secret for options use.' );
 			}
 
+			if ( ! Redux_Rate_Limiter::check( 'download_options' ) ) {
+				wp_die( 'Rate limit exceeded. Please try again later.' );
+			}
+
 			$this->parent->options_class->get();
 			$backup_options                 = $this->parent->options;
 			$backup_options['redux-backup'] = 1;
