修复超级签密码访问未校验问题，增加post接收速率限制

fir_ser/api/utils/baseutils.py

@@ -158,3 +158,12 @@ def get_format_time():
     if not timezone.is_naive(now):
         now = timezone.make_naive(now, timezone.utc)
     return now.strftime('%Y-%m-%d_%H:%M:%S')
+
+
+def check_app_password(app_password, password):
+    if app_password != '':
+        if password is None:
+            return None
+    if app_password.lower() != password.strip().lower():
+        return None
+    return True

fir_ser/api/utils/storage/caches.py

@@ -12,7 +12,7 @@ from django.utils import timezone
 from fir_ser.settings import CACHE_KEY_TEMPLATE, SERVER_DOMAIN, SYNC_CACHE_TO_DATABASE, DEFAULT_MOBILEPROVISION, \
     USER_FREE_DOWNLOAD_TIMES, AUTH_USER_FREE_DOWNLOAD_TIMES
 from api.utils.storage.storage import Storage, LocalStorage
-from api.utils.baseutils import get_app_d_count_by_app_id, get_app_domain_name  # file_format_path,
+from api.utils.baseutils import get_app_d_count_by_app_id, get_app_domain_name, check_app_password  # file_format_path,
 import logging
 from django.db.models import F
 
@@ -100,6 +100,9 @@ def get_app_instance_by_cache(app_id, password, limit, udid):
                                                              'user_id__certification__status').first()
         if app_info:
             app_info['d_count'] = get_app_d_count_by_app_id(app_id)
+            app_password = app_info.get("password")
+            if not check_app_password(app_password, password):
+                return None
         return app_info
     app_key = "_".join([CACHE_KEY_TEMPLATE.get("app_instance_key"), app_id])
     app_obj_cache = cache.get(app_key)
@@ -113,12 +116,8 @@ def get_app_instance_by_cache(app_id, password, limit, udid):
 
     app_password = app_obj_cache.get("password")
 
-    if app_password != '':
+    if not check_app_password(app_password, password):
-        if password is None:
+        return None
-            return None
-
-        if app_password.lower() != password.strip().lower():
-            return None
 
     return app_obj_cache
 

fir_ser/api/utils/throttle.py

@@ -82,3 +82,20 @@ class GetAuthC2Throttle(SimpleRateThrottle):
 
     def get_cache_key(self, request, view):
         return 'get_auth_' + self.get_ident(request)
+
+
+class ReceiveUdidThrottle1(VisitShortThrottle):
+    """post接收设备信息访问频率限制"""
+    scope = "ReceiveUdid1"
+
+    def get_cache_key(self, request, view):
+        return 'receive_udid_' + self.get_ident(request) + hashlib.md5(
+            request.META.get('HTTP_USER_AGENT', '').encode("utf-8")).hexdigest()
+
+
+class ReceiveUdidThrottle2(VisitShortThrottle):
+    """post接收设备信息访问频率限制"""
+    scope = "ReceiveUdid2"
+
+    def get_cache_key(self, request, view):
+        return 'receive_udid_' + self.get_ident(request)

fir_ser/api/views/receiveudids.py

@@ -12,6 +12,7 @@ from rest_framework.response import Response
 from api.tasks import run_sign_task
 from api.utils.response import BaseResponse
 from api.utils.storage.caches import check_app_permission
+from api.utils.throttle import ReceiveUdidThrottle1, ReceiveUdidThrottle2
 from fir_ser.celery import app
 import logging
 from rest_framework.views import APIView
@@ -23,6 +24,7 @@ logger = logging.getLogger(__file__)
 
 
 class IosUDIDView(View):
+    throttle_classes = [ReceiveUdidThrottle1, ReceiveUdidThrottle2]
 
     def post(self, request, short):
         stream_f = str(request.body)

fir_ser/fir_ser/settings.py

@@ -132,6 +132,8 @@ REST_FRAMEWORK = {
         'GetAuthC2': '300/h',
         'InstallAccess1': '10/m',
         'InstallAccess2': '20/h',
+        'ReceiveUdid1': '10/h',
+        'ReceiveUdid2': '20/h',
     }
 }
 # Internationalization