Prevent downgrade attacks for apps
We should verify the app versions when installing a new update, otherwise this could result in downgrade attacks when an attacker just copies the old signature. Plus it prevents the case that in case of a bug in the appstore actually an older version gets installed. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
This commit is contained in:
parent
d61c8d74bb
commit
7cb0df28e2
|
@ -278,6 +278,20 @@ class Installer {
|
|||
);
|
||||
}
|
||||
|
||||
// Check if the version is lower than before
|
||||
$currentVersion = OC_App::getAppVersion($appId);
|
||||
$newVersion = (string)$xml->version;
|
||||
if(version_compare($currentVersion, $newVersion) === 1) {
|
||||
throw new \Exception(
|
||||
sprintf(
|
||||
'App for id %s has version %s and tried to update to lower version %s',
|
||||
$appId,
|
||||
$currentVersion,
|
||||
$newVersion
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
$baseDir = OC_App::getInstallPath() . '/' . $appId;
|
||||
// Remove old app with the ID if existent
|
||||
OC_Helper::rmdirr($baseDir);
|
||||
|
|
Binary file not shown.
|
@ -547,7 +547,7 @@ MPLX6f5V9tCJtlH6ztmEcDROfvuVc0U3rEhqx2hphoyo+MZrPFpdcJL8KkIdMKbY
|
|||
],
|
||||
];
|
||||
$this->appFetcher
|
||||
->expects($this->once())
|
||||
->expects($this->at(0))
|
||||
->method('get')
|
||||
->willReturn($appArray);
|
||||
$realTmpFile = \OC::$server->getTempManager()->getTemporaryFile('.tar.gz');
|
||||
|
@ -568,7 +568,7 @@ MPLX6f5V9tCJtlH6ztmEcDROfvuVc0U3rEhqx2hphoyo+MZrPFpdcJL8KkIdMKbY
|
|||
->method('get')
|
||||
->with('https://example.com', ['save_to' => $realTmpFile]);
|
||||
$this->clientService
|
||||
->expects($this->once())
|
||||
->expects($this->at(0))
|
||||
->method('newClient')
|
||||
->willReturn($client);
|
||||
|
||||
|
@ -577,4 +577,91 @@ MPLX6f5V9tCJtlH6ztmEcDROfvuVc0U3rEhqx2hphoyo+MZrPFpdcJL8KkIdMKbY
|
|||
$this->assertTrue(file_exists(__DIR__ . '/../../apps/testapp/appinfo/info.xml'));
|
||||
$this->assertEquals('0.9', \OC_App::getAppVersionByPath(__DIR__ . '/../../apps/testapp/'));
|
||||
}
|
||||
|
||||
/**
|
||||
* @expectedException \Exception
|
||||
* @expectedExceptionMessage App for id testapp has version 0.9 and tried to update to lower version 0.8
|
||||
*/
|
||||
public function testDownloadAppWithDowngrade() {
|
||||
$appArray = [
|
||||
[
|
||||
'id' => 'testapp',
|
||||
'certificate' => '-----BEGIN CERTIFICATE-----
|
||||
MIIEAjCCAuoCAhAbMA0GCSqGSIb3DQEBCwUAMHsxCzAJBgNVBAYTAkRFMRswGQYD
|
||||
VQQIDBJCYWRlbi1XdWVydHRlbWJlcmcxFzAVBgNVBAoMDk5leHRjbG91ZCBHbWJI
|
||||
MTYwNAYDVQQDDC1OZXh0Y2xvdWQgQ29kZSBTaWduaW5nIEludGVybWVkaWF0ZSBB
|
||||
dXRob3JpdHkwHhcNMTYxMDMxMTgxNTI2WhcNMjcwMjA2MTgxNTI2WjASMRAwDgYD
|
||||
VQQDEwd0ZXN0YXBwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqa0x
|
||||
FcVa0YcO/ABqSNdbf7Bzp2PBBJzVM9gI4/HzzBKU/NY9/RibBBpNjAIWEFAbTI4j
|
||||
ilFSoxHDQ8HrboFOeKCrOIdp9ATQ8SnYVNIQ12Ym3LA/XxcG0gG0H7DeS9C0uACe
|
||||
svN8fwD1wnKnLLU9GBzO77jwYkneed85wwKG4waHd3965gxQWq0N5gnYS0TTn7Yr
|
||||
l1veRiw+ryefXvfWI0cN1WBZJ/4XAkwVlpG1HP60AunIpcwn9bfG4XCka+7x26E4
|
||||
6Hw0Ot7D7j0yzVzimJDPB2h2buEtPVd6m+oNPueVvKGta+p6cEEaHlFVh2Pa9DI+
|
||||
me3nb6aXE2kABWXav3BmK18A5Rg4ZY4VFYvmHmxkOhT/ulGZRqy6TccL/optqs52
|
||||
KQ6P0e5dfmhLeoCvJObD+ZYKv+kJCRFtX1Hve/R4IHG6XSFKUfrRjyor9b6TX2L/
|
||||
l2vV0mFjmy4g3l05vWHg1Edtq7M29S/xNA3/hF29NjBq6NoMbLGcBtFced1iK07Z
|
||||
yHLjXRZRfURP671Svqqg8pjxuDqkJ2vIj/Vpod4kF2jeiZYXcfmNKhEhxpkccSe0
|
||||
dI6p76Ne7XSUpf8yCPiSnWZLadqKZdEulcB4SlrZO2+/pycgqrqihofDrvDeWeeg
|
||||
gQyvbZZKl4ylRNj6IRKnosKLVXNqMHQxLmxLHeUCAwEAATANBgkqhkiG9w0BAQsF
|
||||
AAOCAQEALkKQwa40HfuP4Q6ShwBFJbXLyodIAXCT014kBVjReDKNl5oHtMXRjPxj
|
||||
nj9doKu+3bLNuLCv9uU3H5+t/GFogReV3Av3z/fCqJ6wHv/KX+lacj31dWXZGD8G
|
||||
z+RYibrxKkPN0V6q1mSvkg3hJOOE+/4FPIdc8PNlgratv3WS4dT8QwGSUavHW2Kx
|
||||
89nIdnwtLEFpgML/bTG0dm8BH57xER8LCYixW1VmpV6A4IsoKVsnB7KUCRTK3iUJ
|
||||
Zh8Xg8UMNrOtXc1Wx1Wmjaa4ZE9dY6/KkU2ny2UWyDHKU/9VE8QQ4HN93gxU4+H7
|
||||
cUg0V1uAxqUvKytKkMfcyPWsz/AINA==
|
||||
-----END CERTIFICATE-----',
|
||||
'releases' => [
|
||||
[
|
||||
'download' => 'https://example.com',
|
||||
'signature' => 'KMSao4cKdMIYxeT8Bm4lrmSeIQnk7YzJZh+Vz+4LVSBwF+OMmcujryQuWLXmbPfg
|
||||
4hGI9zS025469VNjUoCprn01H8NBq3O1cXz+ewG1oxYWMMQFZDkOtUQ+XZ27b91t
|
||||
y0l45H6C8j0sTeSrUb/LCjrdm+buUygkhC2RZxCI6tLi4rYWj0MiqDz98XkbB3te
|
||||
pW3ZND6mG6Jxn1fnd35paqZ/+URMftoLQ4K+6vJoBVGnug9nk1RpGLouICI0zCrz
|
||||
YPTsBHo0s2mPvQQ/ASacWYmSe5R6r5JCzNeGMpViGCqCYPbwuebgqK079s2zvSF9
|
||||
mSLAm2Tk6gCM29N8Vdfr6ppCvIbuNzlLU/dGdYHAILgxEsm/odZjt1Fhs4lOo3A5
|
||||
9ToaNl5+qOEkggwfE/QqceHAY2soW9V5d9izhTCDgXmxpPpPXkwPPTz04ZUpi1Yc
|
||||
OdZZOswbEcc2jUC5T7a7Tnp0uBOkdqat6jB4oMGwU1ldYLCGRyy546cPPTXJw5kH
|
||||
9WfeKJ/mavrSLVa7QqZ4RCcMigmijT1kdqbaEh05IZNrzs6VDcS2EIrbDX8SGXUk
|
||||
uDDkPXZEXqNDEjyONfDXVRLiqDa52Gg+I4vW/l/4ZOFgAWdZkqPPuZFaqzZpsJXm
|
||||
JXhrdaWDZ8fzpUjugrtC3qslsqL0dzgU37anS3HwrT8=',
|
||||
],
|
||||
[
|
||||
'download' => 'https://nextcloud.com',
|
||||
],
|
||||
],
|
||||
],
|
||||
];
|
||||
$this->appFetcher
|
||||
->expects($this->at(1))
|
||||
->method('get')
|
||||
->willReturn($appArray);
|
||||
$realTmpFile = \OC::$server->getTempManager()->getTemporaryFile('.tar.gz');
|
||||
copy(__DIR__ . '/../data/testapp.0.8.tar.gz', $realTmpFile);
|
||||
$this->tempManager
|
||||
->expects($this->at(2))
|
||||
->method('getTemporaryFile')
|
||||
->with('.tar.gz')
|
||||
->willReturn($realTmpFile);
|
||||
$realTmpFolder = \OC::$server->getTempManager()->getTemporaryFolder();
|
||||
$this->tempManager
|
||||
->expects($this->at(3))
|
||||
->method('getTemporaryFolder')
|
||||
->willReturn($realTmpFolder);
|
||||
$client = $this->createMock(IClient::class);
|
||||
$client
|
||||
->expects($this->once())
|
||||
->method('get')
|
||||
->with('https://example.com', ['save_to' => $realTmpFile]);
|
||||
$this->clientService
|
||||
->expects($this->at(1))
|
||||
->method('newClient')
|
||||
->willReturn($client);
|
||||
$this->testDownloadAppSuccessful();
|
||||
$this->assertTrue(file_exists(__DIR__ . '/../../apps/testapp/appinfo/info.xml'));
|
||||
$this->assertEquals('0.9', \OC_App::getAppVersionByPath(__DIR__ . '/../../apps/testapp/'));
|
||||
|
||||
$this->installer->downloadApp('testapp');
|
||||
$this->assertTrue(file_exists(__DIR__ . '/../../apps/testapp/appinfo/info.xml'));
|
||||
$this->assertEquals('0.8', \OC_App::getAppVersionByPath(__DIR__ . '/../../apps/testapp/'));
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue