recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Rate limit attempts to add payment methods in Phortune

Summary: Ref T13249. See D20132. Although we're probably a poor way to validate a big list of stolen cards in practice in production today (it's very hard to quickly generate a large number of small charges), putting rate limiting on "Add Payment Method" is generally reasonable, can't really hurt anything (no legitimate user will ever hit this limit), and might frustrate attackers in the future if it becomes easier to generate ad-hoc charges (for example, if we run a deal on support pacts and reduce their cost from $1,000 to $1).

Test Plan: Reduced limit to 4 / hour, tried to add a card several times, got rate limited.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13249

Differential Revision: https://secure.phabricator.com/D20158

epriestley 9a9fa8be 99136812

+33
+2
src/__phutil_library_map__.php
··· 4986 4986 'PhortuneAccountViewController' => 'applications/phortune/controller/account/PhortuneAccountViewController.php', 4987 4987 'PhortuneAdHocCart' => 'applications/phortune/cart/PhortuneAdHocCart.php', 4988 4988 'PhortuneAdHocProduct' => 'applications/phortune/product/PhortuneAdHocProduct.php', 4989 + 'PhortuneAddPaymentMethodAction' => 'applications/phortune/action/PhortuneAddPaymentMethodAction.php', 4989 4990 'PhortuneCart' => 'applications/phortune/storage/PhortuneCart.php', 4990 4991 'PhortuneCartAcceptController' => 'applications/phortune/controller/cart/PhortuneCartAcceptController.php', 4991 4992 'PhortuneCartCancelController' => 'applications/phortune/controller/cart/PhortuneCartCancelController.php', ··· 11227 11228 'PhortuneAccountViewController' => 'PhortuneAccountProfileController', 11228 11229 'PhortuneAdHocCart' => 'PhortuneCartImplementation', 11229 11230 'PhortuneAdHocProduct' => 'PhortuneProductImplementation', 11231 + 'PhortuneAddPaymentMethodAction' => 'PhabricatorSystemAction', 11230 11232 'PhortuneCart' => array( 11231 11233 'PhortuneDAO', 11232 11234 'PhabricatorApplicationTransactionInterface',
+22
src/applications/phortune/action/PhortuneAddPaymentMethodAction.php
··· 1 + <?php 2 + 3 + final class PhortuneAddPaymentMethodAction 4 + extends PhabricatorSystemAction { 5 + 6 + const TYPECONST = 'phortune.payment-method.add'; 7 + 8 + public function getActionConstant() { 9 + return self::TYPECONST; 10 + } 11 + 12 + public function getScoreThreshold() { 13 + return 60 / phutil_units('1 hour in seconds'); 14 + } 15 + 16 + public function getLimitExplanation() { 17 + return pht( 18 + 'You are making too many attempts to add payment methods in a short '. 19 + 'period of time.'); 20 + } 21 + 22 + }
+9
src/applications/phortune/controller/payment/PhortunePaymentMethodCreateController.php
··· 82 82 ->setProviderPHID($provider->getProviderConfig()->getPHID()) 83 83 ->setStatus(PhortunePaymentMethod::STATUS_ACTIVE); 84 84 85 + // Limit the rate at which you can attempt to add payment methods. This 86 + // is intended as a line of defense against using Phortune to validate a 87 + // large list of stolen credit card numbers. 88 + 89 + PhabricatorSystemActionEngine::willTakeAction( 90 + array($viewer->getPHID()), 91 + new PhortuneAddPaymentMethodAction(), 92 + 1); 93 + 85 94 if (!$errors) { 86 95 $errors = $this->processClientErrors( 87 96 $provider,