fix: Implement rate limiting for various API endpoints to prevent abuse

Daniel Neto · Daniel Neto · commit 01a0614fedcd · 2026-03-24T09:40:27.000-03:00
GHSA-8prq-2jr2-cm92
diff --git a/plugin/API/API.php b/plugin/API/API.php
@@ -1110,6 +1110,7 @@ public function get_api_user_can_watch_video($parameters)
     )]
     public function get_api_video_password_is_correct($parameters)
     {
+        $this->checkRateLimit('video_password_check', 10, 300); // 10 attempts per 5 minutes
 
         $obj = new stdClass();
         $obj->videos_id = intval($parameters['videos_id']);
@@ -3218,6 +3219,7 @@ public function get_api_users_list($parameters)
 
     public function get_api_videosViewsCount($parameters)
     {
+        $this->checkRateLimit('videos_views_count', 20, 60); // 20 per minute — full table scan, no cache
         global $global;
         require_once $global['systemRootPath'] . 'objects/video.php';
         $obj = $this->startResponseObject($parameters);
@@ -4057,6 +4059,7 @@ public function set_api_removelike($parameters)
 
     public function get_api_signIn($parameters)
     {
+        $this->checkRateLimit('sign_in', 10, 300); // 10 attempts per 5 minutes
         global $global;
         $this->getToPost();
         // Merge $parameters into $_POST so login.json.php can read them
@@ -4331,6 +4334,7 @@ private function like($parameters, $like)
 
     public function get_api_vmap($parameters)
     {
+        $this->checkRateLimit('vmap', 120, 60); // 120 per minute — prevents outbound HTTP flood via AdsForJesus
         global $global;
         $this->getToPost();
         header('Content-type: application/xml');
@@ -5420,6 +5424,7 @@ public function get_api_app($parameters)
 
     public function set_api_login_code($parameters)
     {
+        $this->checkRateLimit('login_code_generate', 5, 300); // 5 generations per 5 minutes
         $obj = getActivationCode();
         return new ApiObject('', empty($obj['bytes']), $obj);
     }
@@ -5465,6 +5470,7 @@ public function set_api_login_code($parameters)
 
     public function get_api_login_code($parameters)
     {
+        $this->checkRateLimit('login_code_verify', 5, 300); // 5 attempts per 5 minutes
         global $global, $config;
         $msg = '';
         $obj = false;

Original file line number	Diff line number	Diff line change
`@@ -1110,6 +1110,7 @@ public function get_api_user_can_watch_video($parameters)`
`1110`	`1110`	`)]`
`1111`	`1111`	`public function get_api_video_password_is_correct($parameters)`
`1112`	`1112`	`{`
	`1113`	`+ $this->checkRateLimit('video_password_check', 10, 300); // 10 attempts per 5 minutes`
`1113`	`1114`
`1114`	`1115`	`$obj = new stdClass();`
`1115`	`1116`	`$obj->videos_id = intval($parameters['videos_id']);`
`@@ -3218,6 +3219,7 @@ public function get_api_users_list($parameters)`
`3218`	`3219`
`3219`	`3220`	`public function get_api_videosViewsCount($parameters)`
`3220`	`3221`	`{`
	`3222`	`+ $this->checkRateLimit('videos_views_count', 20, 60); // 20 per minute — full table scan, no cache`
`3221`	`3223`	`global $global;`
`3222`	`3224`	`require_once $global['systemRootPath'] . 'objects/video.php';`
`3223`	`3225`	`$obj = $this->startResponseObject($parameters);`
`@@ -4057,6 +4059,7 @@ public function set_api_removelike($parameters)`
`4057`	`4059`
`4058`	`4060`	`public function get_api_signIn($parameters)`
`4059`	`4061`	`{`
	`4062`	`+ $this->checkRateLimit('sign_in', 10, 300); // 10 attempts per 5 minutes`
`4060`	`4063`	`global $global;`
`4061`	`4064`	`$this->getToPost();`
`4062`	`4065`	`// Merge $parameters into $_POST so login.json.php can read them`
`@@ -4331,6 +4334,7 @@ private function like($parameters, $like)`
`4331`	`4334`
`4332`	`4335`	`public function get_api_vmap($parameters)`
`4333`	`4336`	`{`
	`4337`	`+ $this->checkRateLimit('vmap', 120, 60); // 120 per minute — prevents outbound HTTP flood via AdsForJesus`
`4334`	`4338`	`global $global;`
`4335`	`4339`	`$this->getToPost();`
`4336`	`4340`	`header('Content-type: application/xml');`
`@@ -5420,6 +5424,7 @@ public function get_api_app($parameters)`
`5420`	`5424`
`5421`	`5425`	`public function set_api_login_code($parameters)`
`5422`	`5426`	`{`
	`5427`	`+ $this->checkRateLimit('login_code_generate', 5, 300); // 5 generations per 5 minutes`
`5423`	`5428`	`$obj = getActivationCode();`
`5424`	`5429`	`return new ApiObject('', empty($obj['bytes']), $obj);`
`5425`	`5430`	`}`
`@@ -5465,6 +5470,7 @@ public function set_api_login_code($parameters)`
`5465`	`5470`
`5466`	`5471`	`public function get_api_login_code($parameters)`
`5467`	`5472`	`{`
	`5473`	`+ $this->checkRateLimit('login_code_verify', 5, 300); // 5 attempts per 5 minutes`
`5468`	`5474`	`global $global, $config;`
`5469`	`5475`	`$msg = '';`
`5470`	`5476`	`$obj = false;`