Merge pull request #5294 from nappa85/5291-daily_limit

Introduce daily limit of published versions per crate

Author: Turbo87

src/config.rs

@@ -25,6 +25,7 @@ pub struct Server {
     pub max_upload_size: u64,
     pub max_unpack_size: u64,
     pub publish_rate_limit: PublishRateLimit,
+    pub new_version_rate_limit: Option<u32>,
     pub blocked_traffic: Vec<(String, Vec<String>)>,
     pub max_allowed_page_offset: u32,
     pub page_offset_ua_blocklist: Vec<String>,
@@ -118,6 +119,7 @@ impl Default for Server {
             max_upload_size: 10 * 1024 * 1024, // 10 MB default file upload size limit
             max_unpack_size: 512 * 1024 * 1024, // 512 MB max when decompressed
             publish_rate_limit: Default::default(),
+            new_version_rate_limit: env_optional("MAX_NEW_VERSIONS_DAILY"),
             blocked_traffic: blocked_traffic(),
             max_allowed_page_offset: env_optional("WEB_MAX_ALLOWED_PAGE_OFFSET").unwrap_or(200),
             page_offset_ua_blocklist,

src/controllers/krate/publish.rs

@@ -128,6 +128,15 @@ pub fn publish(req: &mut dyn RequestExt) -> EndpointResult {
             )));
         }
 
+        if let Some(daily_version_limit) = app.config.new_version_rate_limit {
+            let published_today = count_versions_published_today(krate.id, &conn)?;
+            if published_today >= daily_version_limit as i64 {
+                return Err(cargo_err(
+                    "You have published too many versions of this crate in the last 24 hours",
+                ));
+            }
+        }
+
         // Length of the .crate tarball, which appears after the metadata in the request body.
         // TODO: Not sure why we're using the total content length (metadata + .crate file length)
         // to compare against the max upload size... investigate that and perhaps change to use
@@ -259,6 +268,19 @@ pub fn publish(req: &mut dyn RequestExt) -> EndpointResult {
     })
 }
 
+/// Counts the number of versions for `krate_id` that were published within
+/// the last 24 hours.
+fn count_versions_published_today(krate_id: i32, conn: &PgConnection) -> QueryResult<i64> {
+    use crate::schema::versions::dsl::*;
+    use diesel::dsl::{now, IntervalDsl};
+
+    versions
+        .filter(crate_id.eq(krate_id))
+        .filter(created_at.gt(now - 24.hours()))
+        .count()
+        .get_result(conn)
+}
+
 /// Used by the `krate::new` function.
 ///
 /// This function parses the JSON headers to interpret the data and validates