1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-25 08:12:40 +01:00

Rate limit attempts to add payment methods in Phortune

Summary: Ref T13249. See D20132. Although we're probably a poor way to validate a big list of stolen cards in practice in production today (it's very hard to quickly generate a large number of small charges), putting rate limiting on "Add Payment Method" is generally reasonable, can't really hurt anything (no legitimate user will ever hit this limit), and might frustrate attackers in the future if it becomes easier to generate ad-hoc charges (for example, if we run a deal on support pacts and reduce their cost from $1,000 to $1).

Test Plan: Reduced limit to 4 / hour, tried to add a card several times, got rate limited.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13249

Differential Revision: https://secure.phabricator.com/D20158
This commit is contained in:
epriestley 2019-02-13 05:14:43 -08:00
parent 991368128e
commit 9a9fa8bed2
3 changed files with 33 additions and 0 deletions

View file

@ -4986,6 +4986,7 @@ phutil_register_library_map(array(
'PhortuneAccountViewController' => 'applications/phortune/controller/account/PhortuneAccountViewController.php',
'PhortuneAdHocCart' => 'applications/phortune/cart/PhortuneAdHocCart.php',
'PhortuneAdHocProduct' => 'applications/phortune/product/PhortuneAdHocProduct.php',
'PhortuneAddPaymentMethodAction' => 'applications/phortune/action/PhortuneAddPaymentMethodAction.php',
'PhortuneCart' => 'applications/phortune/storage/PhortuneCart.php',
'PhortuneCartAcceptController' => 'applications/phortune/controller/cart/PhortuneCartAcceptController.php',
'PhortuneCartCancelController' => 'applications/phortune/controller/cart/PhortuneCartCancelController.php',
@ -11227,6 +11228,7 @@ phutil_register_library_map(array(
'PhortuneAccountViewController' => 'PhortuneAccountProfileController',
'PhortuneAdHocCart' => 'PhortuneCartImplementation',
'PhortuneAdHocProduct' => 'PhortuneProductImplementation',
'PhortuneAddPaymentMethodAction' => 'PhabricatorSystemAction',
'PhortuneCart' => array(
'PhortuneDAO',
'PhabricatorApplicationTransactionInterface',

View file

@ -0,0 +1,22 @@
<?php
final class PhortuneAddPaymentMethodAction
extends PhabricatorSystemAction {
const TYPECONST = 'phortune.payment-method.add';
public function getActionConstant() {
return self::TYPECONST;
}
public function getScoreThreshold() {
return 60 / phutil_units('1 hour in seconds');
}
public function getLimitExplanation() {
return pht(
'You are making too many attempts to add payment methods in a short '.
'period of time.');
}
}

View file

@ -82,6 +82,15 @@ final class PhortunePaymentMethodCreateController
->setProviderPHID($provider->getProviderConfig()->getPHID())
->setStatus(PhortunePaymentMethod::STATUS_ACTIVE);
// Limit the rate at which you can attempt to add payment methods. This
// is intended as a line of defense against using Phortune to validate a
// large list of stolen credit card numbers.
PhabricatorSystemActionEngine::willTakeAction(
array($viewer->getPHID()),
new PhortuneAddPaymentMethodAction(),
1);
if (!$errors) {
$errors = $this->processClientErrors(
$provider,