Skip to content

Add bruteforce protection in OauthApiController#38773

Merged
julien-nc merged 1 commit intomasterfrom
fix/noid/protect-oauth2-api-controller
Jun 19, 2023
Merged

Add bruteforce protection in OauthApiController#38773
julien-nc merged 1 commit intomasterfrom
fix/noid/protect-oauth2-api-controller

Conversation

@julien-nc
Copy link
Member

@julien-nc julien-nc commented Jun 12, 2023

Client secrets are long so bruteforce attacks are not likely to be effective but still.

@julien-nc julien-nc added 3. to review Waiting for reviews security labels Jun 12, 2023
@julien-nc julien-nc added this to the Nextcloud 28 milestone Jun 12, 2023
@julien-nc julien-nc requested review from a team, AndyScherzinger, ArtificialOwl, ChristophWurst, blizzz, icewind1991 and miaulalala and removed request for a team June 12, 2023 15:42
@julien-nc julien-nc force-pushed the fix/noid/protect-oauth2-api-controller branch from dba26cb to fca8446 Compare June 14, 2023 15:50
@AndyScherzinger
Copy link
Member

AndyScherzinger commented Jun 14, 2023

/backport to stable27

@AndyScherzinger
Copy link
Member

AndyScherzinger commented Jun 14, 2023

/backport to stable26

@AndyScherzinger
Copy link
Member

AndyScherzinger commented Jun 14, 2023

/backport to stable25

@AndyScherzinger
Copy link
Member

AndyScherzinger commented Jun 14, 2023

/backport to stable24

@miaulalala
Copy link
Contributor

miaulalala commented Jun 16, 2023

/rebase

@nextcloud-command nextcloud-command force-pushed the fix/noid/protect-oauth2-api-controller branch from fca8446 to 96a850b Compare June 16, 2023 13:25
@julien-nc
add bruteforce protection in OauthApiController
629adc3 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc julien-nc force-pushed the fix/noid/protect-oauth2-api-controller branch from 96a850b to 629adc3 Compare June 19, 2023 09:18
@julien-nc julien-nc merged commit 247c874 into master Jun 19, 2023
@julien-nc julien-nc deleted the fix/noid/protect-oauth2-api-controller branch June 19, 2023 11:46
@backportbot-nextcloud backportbot-nextcloud bot mentioned this pull request Jun 19, 2023
Merged
@backportbot-nextcloud
Copy link

backportbot-nextcloud bot commented Jun 19, 2023

The backport to stable26 failed. Please do this backport manually.

# Switch to the target branch and update it
git checkout stable26
git pull origin stable26

# Create the new backport branch
git checkout -b fix/foo-stable26

# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123

# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable26

More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport

@backportbot-nextcloud backportbot-nextcloud bot mentioned this pull request Jun 19, 2023
Merged
@backportbot-nextcloud
Copy link

backportbot-nextcloud bot commented Jun 19, 2023

The backport to stable24 failed. Please do this backport manually.

# Switch to the target branch and update it
git checkout stable24
git pull origin stable24

# Create the new backport branch
git checkout -b fix/foo-stable24

# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123

# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable24

More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport

@julien-nc
Copy link
Member Author

julien-nc commented Jun 19, 2023

Backport for stable26 will be easier after #38708 is merged.

@AndyScherzinger Do we really have to backport to stable24?

@nickvergessen
Copy link
Member

nickvergessen commented Jun 19, 2023

Do we really have to backport to stable24?

yes

@julien-nc julien-nc mentioned this pull request Jun 19, 2023
Merged
@AndyScherzinger
Copy link
Member

AndyScherzinger commented Jun 19, 2023

Do we really have to backport to stable24?

As stated by Joas: yes, we do have support cohorts defined based on the severity of a sec issue the number of years we need to backport the fix is defined - which is why I initially added all the backport commands right away

@nickvergessen
Copy link
Member

nickvergessen commented Jun 22, 2023

/backport to stable26

@julien-nc julien-nc mentioned this pull request Jun 22, 2023
Merged
This was referenced Jul 11, 2023
Merged
Merged
@nextcloud nextcloud deleted a comment from backportbot-nextcloud bot Jul 11, 2023
@nextcloud nextcloud deleted a comment from backportbot-nextcloud bot Jul 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rullzer rullzer rullzer approved these changes

@AndyScherzinger AndyScherzinger AndyScherzinger approved these changes

@ChristophWurst ChristophWurst ChristophWurst approved these changes

@miaulalala miaulalala miaulalala approved these changes

@ArtificialOwl ArtificialOwl Awaiting requested review from ArtificialOwl ArtificialOwl is a code owner automatically assigned from nextcloud/server-backend

@icewind1991 icewind1991 Awaiting requested review from icewind1991 icewind1991 is a code owner automatically assigned from nextcloud/server-backend

@blizzz blizzz Awaiting requested review from blizzz blizzz is a code owner automatically assigned from nextcloud/server-backend

Assignees

No one assigned

Labels

3. to review Waiting for reviews security

Projects

None yet

Milestone

Nextcloud 28

Development

Successfully merging this pull request may close these issues.

7 participants

@julien-nc @AndyScherzinger @miaulalala @nickvergessen @rullzer @ChristophWurst @skjnldsv