[FEATURE] Add RateLimit spam check method

cweiske · cweiske · commit ffdfa69d4126 · 2025-11-14T09:43:58.000+01:00
A new spam prevention method utilizing the Symfony rate limiter
that is already used by the TYPO3 backend login to prevent brute-force
attacks.

It marks form submissions as spam when a user submits forms
too often in a given time frame, e.g. 10x in 5 minutes.
This helps reducing spam flood attacks, because only the first
submissions will be allowed.

Both interval and limit are configurable via TypoScript.
All valid DateTimeInterval strings are accepted, allowing interval
declarations like "10 minutes" or "5 hours".

Configuring the properties for rate limiting identifier is possible:
Either rate limit all submissions from an IP address,
or rate limit submissions from an IP to a certain form only.
Adding form field values is possible as well, preventing
duplicate submissions from e.g. an e-mail addresses.

Heavily inspired by Chris Müller's brotkrueml/typo3-form-rate-limit
extension.

Rate limit information is stored via TYPO3's caching framework in the
'ratelimiter' cache. This allows admins to share the limit across
multiple machines by configuring it to use a database or redis backend.
diff --git a/Classes/Domain/Validator/SpamShield/RateLimitMethod.php b/Classes/Domain/Validator/SpamShield/RateLimitMethod.php
@@ -0,0 +1,165 @@
+<?php
+
+declare(strict_types=1);
+namespace In2code\Powermail\Domain\Validator\SpamShield;
+
+use In2code\Powermail\Storage\RateLimitStorage;
+use In2code\Powermail\Utility\ObjectUtility;
+use Symfony\Component\RateLimiter\RateLimiterFactory;
+use TYPO3\CMS\Core\Utility\GeneralUtility;
+
+/**
+ * Limit the number of submissions in a given time frame
+ *
+ * Exclusion of IP addresses is possible with a powermail breaker configuration.
+ */
+class RateLimitMethod extends AbstractMethod
+{
+    /**
+     * Check if this form submission is limited or shall be allowed.
+     *
+     * @return bool true if spam recognized
+     */
+    public function spamCheck(): bool
+    {
+        $config = [
+            'id'       => 'powermail-ratelimit',
+            'policy'   => 'sliding_window',
+            'limit'    => $this->getLimit(),
+            'interval' => $this->getInterval(),
+        ];
+
+        $storage = GeneralUtility::makeInstance(RateLimitStorage::class);
+
+        $factory = new RateLimiterFactory($config, $storage);
+
+        $keyParts = $this->getRestrictionValues($this->getRestrictions());
+        $key = implode('-', $keyParts);
+
+        $limiter = $factory->create($key);
+        if ($limiter->consume()->isAccepted()) {
+            return false;
+        }
+
+        //spam
+        return true;
+    }
+
+    /**
+     * Replace the restriction variables with their values
+     */
+    protected function getRestrictionValues(array $restrictions): array
+    {
+        $answers = $this->mail->getAnswersByFieldMarker();
+
+        $values = [];
+        foreach ($restrictions as $restriction) {
+            if ($restriction === '__ipAddress') {
+                $values[$restriction] = GeneralUtility::getIndpEnv('REMOTE_ADDR');
+
+            } elseif ($restriction === '__formIdentifier') {
+                $values[$restriction] = $this->mail->getForm()->getUid();
+
+            } elseif ($restriction[0] === '{') {
+                //form field
+                $fieldName = substr($restriction, 1, -1);
+                if (!isset($answers[$fieldName])) {
+                    throw new \InvalidArgumentException('Form has no field with variable name ' . $field, 1763046923);
+                }
+                $values[$restriction] = $answers[$fieldName]->getValue();
+
+            } else {
+                //hard-coded value
+                $values[$restriction] = $restriction;
+            }
+        }
+
+        return $values;
+    }
+
+    /**
+     * Get the configured time interval in which the limit has to be adhered to
+     */
+    protected function getInterval(): string
+    {
+        $interval = $this->configuration['interval'];
+
+        if ($interval === null) {
+            throw new \InvalidArgumentException('Interval must be set!', 1671448702);
+        }
+        if (! \is_string($interval)) {
+            throw new \InvalidArgumentException('Interval must be a string!', 1671448703);
+        }
+
+        if (@\DateInterval::createFromDateString($interval) === false) {
+            // @todo Remove check and exception when compatibility of PHP >= 8.3
+            // @see https://www.php.net/manual/de/class.datemalformedintervalstringexception.php
+            throw new \InvalidArgumentException(
+                \sprintf(
+                    'Interval is not valid, "%s" given!',
+                    $interval,
+                ),
+                1671448704,
+            );
+        }
+
+        return $interval;
+    }
+
+    /**
+     * Get how many form submissions are allowed within the time interval
+     */
+    protected function getLimit(): int
+    {
+        $limit = $this->configuration['limit'];
+
+        if ($limit === null) {
+            throw new \InvalidArgumentException('Limit must be set!', 1671449026);
+        }
+
+        if (! \is_numeric($limit)) {
+            throw new \InvalidArgumentException('Limit must be numeric!', 1671449027);
+        }
+
+        $limit = (int) $limit;
+        if ($limit < 1) {
+            throw new \InvalidArgumentException('Limit must be greater than 0!', 1671449028);
+        }
+
+        return $limit;
+    }
+
+    /**
+     * Get the list of properties that are used to identify the form
+     *
+     * Supported values:
+     * - __ipAddress
+     * - __formIdentifier
+     * - {email} - Form field names
+     * - foo - Hard-coded values
+     */
+    protected function getRestrictions(): array
+    {
+        $restrictions = $this->configuration['restrictions'];
+
+        if ($restrictions === null) {
+            throw new \InvalidArgumentException('Restrictions must be set!', 1671727527);
+        }
+
+        if (! \is_array($restrictions)) {
+            throw new \InvalidArgumentException('Restrictions must be an array!', 1671727528);
+        }
+
+        if ($restrictions === []) {
+            throw new \InvalidArgumentException('Restrictions must not be an empty array!', 1671727529);
+        }
+
+        foreach ($restrictions as $restriction) {
+            if (! \is_string($restriction)) {
+                throw new \InvalidArgumentException('A single restrictions must be a string!', 1671727530);
+            }
+        }
+
+        return \array_values($restrictions);
+    }
+}
diff --git a/Classes/Storage/RateLimitStorage.php b/Classes/Storage/RateLimitStorage.php
@@ -0,0 +1,58 @@
+<?php
+
+declare(strict_types=1);
+
+namespace In2code\Powermail\Storage;
+
+use Symfony\Component\DependencyInjection\Attribute\Autoconfigure;
+use Symfony\Component\RateLimiter\LimiterStateInterface;
+use Symfony\Component\RateLimiter\Policy\SlidingWindow;
+use Symfony\Component\RateLimiter\Policy\TokenBucket;
+use Symfony\Component\RateLimiter\Policy\Window;
+use Symfony\Component\RateLimiter\Storage\StorageInterface;
+use TYPO3\CMS\Core\Cache\CacheManager;
+use TYPO3\CMS\Core\Cache\Frontend\FrontendInterface;
+
+/**
+ * Copy of TYPO3's internal CachingFrameworkStorage.
+ *
+ * \TYPO3\CMS\Core\RateLimiter\Storage\CachingFrameworkStorage
+ */
+class RateLimitStorage implements StorageInterface
+{
+    private FrontendInterface $cacheInstance;
+
+    public function __construct(CacheManager $cacheInstance)
+    {
+        $this->cacheInstance = $cacheInstance->getCache('ratelimiter');
+        $this->cacheInstance->collectGarbage();
+    }
+
+    public function save(LimiterStateInterface $limiterState): void
+    {
+        $this->cacheInstance->set(
+            sha1($limiterState->getId()),
+            serialize($limiterState),
+            [],
+            $limiterState->getExpirationTime()
+        );
+    }
+
+    public function fetch(string $limiterStateId): ?LimiterStateInterface
+    {
+        $cacheItem = $this->cacheInstance->get(sha1($limiterStateId));
+        if ($cacheItem) {
+            $value = unserialize($cacheItem, ['allowed_classes' => [Window::class, SlidingWindow::class, TokenBucket::class]]);
+            if ($value instanceof LimiterStateInterface) {
+                return $value;
+            }
+        }
+
+        return null;
+    }
+
+    public function delete(string $limiterStateId): void
+    {
+        $this->cacheInstance->remove(sha1($limiterStateId));
+    }
+}
diff --git a/Configuration/Services.yaml b/Configuration/Services.yaml
@@ -46,3 +46,6 @@ services:
       - name: 'event.listener'
         identifier: 'powermail/modify-data-structure'
         method: 'modifyDataStructure'
+
+  In2code\Powermail\Storage\RateLimitStorage:
+    public: true
diff --git a/Configuration/TypoScript/Main/Configuration/12_Spamshield.typoscript b/Configuration/TypoScript/Main/Configuration/12_Spamshield.typoscript
@@ -185,6 +185,35 @@ plugin.tx_powermail.settings.setup {
           values.value = 123.132.125.123,123.132.125.124
         }
       }
+
+      # Rate limiter
+      8 {
+        _enable = 1
+
+        # Spamcheck name
+        name = IP rate limiter
+
+        # Class
+        class = In2code\Powermail\Domain\Validator\SpamShield\RateLimitMethod
+
+        # if this check fails - add this indication value to indicator (0 disables this check completely)
+        indication = 100
+
+        # method configuration
+        configuration {
+          #see "DateTimeInterval" class for allowed values
+          interval = 5 minutes
+
+          #number of form sumissions within the interval
+          limit = 10
+
+          restrictions {
+            10 = __ipAddress
+            20 = __formIdentifier
+            30 = {email}
+          }
+        }
+      }
     }
   }
 }
