Rate limit attempts to add payment methods in Phortune

Summary: Ref T13249. See D20132. Although we're probably a poor way to validate a big list of stolen cards in practice in production today (it's very hard to quickly generate a large number of small charges), putting rate limiting on "Add Payment Method" is generally reasonable, can't really hurt anything (no legitimate user will ever hit this limit), and might frustrate attackers in the future if it becomes easier to generate ad-hoc charges (for example, if we run a deal on support pacts and reduce their cost from $1,000 to $1). Test Plan: Reduced limit to 4 / hour, tried to add a card several times, got rate limited. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13249 Differential Revision: https://secure.phabricator.com/D20158
2024-11-25 16:22:43 +01:00 · 2019-02-13 05:14:43 -08:00 · 2019-02-13 05:14:43 -08:00 · 9a9fa8bed2
commit 9a9fa8bed2
parent 991368128e
3 changed files with 33 additions and 0 deletions
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@ -4986,6 +4986,7 @@ phutil_register_library_map(array(
    'PhortuneAccountViewController' => 'applications/phortune/controller/account/PhortuneAccountViewController.php',
    'PhortuneAdHocCart' => 'applications/phortune/cart/PhortuneAdHocCart.php',
    'PhortuneAdHocProduct' => 'applications/phortune/product/PhortuneAdHocProduct.php',
+    'PhortuneAddPaymentMethodAction' => 'applications/phortune/action/PhortuneAddPaymentMethodAction.php',
    'PhortuneCart' => 'applications/phortune/storage/PhortuneCart.php',
    'PhortuneCartAcceptController' => 'applications/phortune/controller/cart/PhortuneCartAcceptController.php',
    'PhortuneCartCancelController' => 'applications/phortune/controller/cart/PhortuneCartCancelController.php',
@ -11227,6 +11228,7 @@ phutil_register_library_map(array(
    'PhortuneAccountViewController' => 'PhortuneAccountProfileController',
    'PhortuneAdHocCart' => 'PhortuneCartImplementation',
    'PhortuneAdHocProduct' => 'PhortuneProductImplementation',
+    'PhortuneAddPaymentMethodAction' => 'PhabricatorSystemAction',
    'PhortuneCart' => array(
      'PhortuneDAO',
      'PhabricatorApplicationTransactionInterface',
--- a/src/applications/phortune/action/PhortuneAddPaymentMethodAction.php
+++ b/src/applications/phortune/action/PhortuneAddPaymentMethodAction.php
@ -0,0 +1,22 @@
+<?php
+
+final class PhortuneAddPaymentMethodAction
+  extends PhabricatorSystemAction {
+
+  const TYPECONST = 'phortune.payment-method.add';
+
+  public function getActionConstant() {
+    return self::TYPECONST;
+  }
+
+  public function getScoreThreshold() {
+    return 60 / phutil_units('1 hour in seconds');
+  }
+
+  public function getLimitExplanation() {
+    return pht(
+      'You are making too many attempts to add payment methods in a short '.
+      'period of time.');
+  }
+
+}
--- a/src/applications/phortune/controller/payment/PhortunePaymentMethodCreateController.php
+++ b/src/applications/phortune/controller/payment/PhortunePaymentMethodCreateController.php
@ -82,6 +82,15 @@ final class PhortunePaymentMethodCreateController
        ->setProviderPHID($provider->getProviderConfig()->getPHID())
        ->setStatus(PhortunePaymentMethod::STATUS_ACTIVE);

+      // Limit the rate at which you can attempt to add payment methods. This
+      // is intended as a line of defense against using Phortune to validate a
+      // large list of stolen credit card numbers.
+
+      PhabricatorSystemActionEngine::willTakeAction(
+        array($viewer->getPHID()),
+        new PhortuneAddPaymentMethodAction(),
+        1);
+
      if (!$errors) {
        $errors = $this->processClientErrors(
          $provider,