fix: address security review findings

This commit is contained in:
Marek Miklewicz
2026-06-30 11:41:40 +02:00
parent 3b096b67bb
commit 54b2e620ff
12 changed files with 188 additions and 31 deletions
+22 -8
View File
@@ -16,23 +16,37 @@ final class RateLimiter
mkdir($this->dir, 0700, true);
}
$file = $this->dir . '/' . preg_replace('/[^A-Za-z0-9._-]/', '_', $bucket) . '.json';
$handle = fopen($file, 'c+');
if ($handle === false) {
throw new RuntimeException('Cannot open rate limit bucket');
}
if (!flock($handle, LOCK_EX)) {
fclose($handle);
throw new RuntimeException('Cannot lock rate limit bucket');
}
$now = time();
$events = [];
if (is_file($file)) {
$decoded = json_decode((string)file_get_contents($file), true);
if (is_array($decoded)) {
foreach ($decoded as $event) {
if (is_int($event) && $event > $now - $windowSeconds) {
$events[] = $event;
}
$contents = stream_get_contents($handle);
$decoded = json_decode(is_string($contents) ? $contents : '', true);
if (is_array($decoded)) {
foreach ($decoded as $event) {
if (is_int($event) && $event > $now - $windowSeconds) {
$events[] = $event;
}
}
}
if (count($events) >= $limit) {
flock($handle, LOCK_UN);
fclose($handle);
throw new RuntimeException('Rate limit exceeded');
}
$events[] = $now;
file_put_contents($file, json_encode($events), LOCK_EX);
ftruncate($handle, 0);
rewind($handle);
fwrite($handle, json_encode($events) ?: '[]');
fflush($handle);
flock($handle, LOCK_UN);
fclose($handle);
@chmod($file, 0600);
}
}