Merge pull request #26626 from J0WI/strict-security

Make Security module strict
This commit is contained in:
Roeland Jago Douma 2021-05-18 08:43:13 +02:00 committed by GitHub
commit ee3dc57cbd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
31 changed files with 143 additions and 50 deletions

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @copyright Copyright (c) 2017 Roeland Jago Douma <roeland@famdouma.nl> * @copyright Copyright (c) 2017 Roeland Jago Douma <roeland@famdouma.nl>
* *
@ -46,7 +49,7 @@ class Capabilities implements IPublicCapability {
$this->throttler = $throttler; $this->throttler = $throttler;
} }
public function getCapabilities() { public function getCapabilities(): array {
if (version_compare(\OC::$server->getConfig()->getSystemValue('version', '0.0.0.0'), '12.0.0.0', '<')) { if (version_compare(\OC::$server->getConfig()->getSystemValue('version', '0.0.0.0'), '12.0.0.0', '<')) {
return []; return [];
} }

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @copyright Copyright (c) 2016, ownCloud, Inc. * @copyright Copyright (c) 2016, ownCloud, Inc.
* *
@ -49,7 +52,7 @@ class Certificate implements ICertificate {
* @param string $name * @param string $name
* @throws \Exception If the certificate could not get parsed * @throws \Exception If the certificate could not get parsed
*/ */
public function __construct($data, $name) { public function __construct(string $data, string $name) {
$this->name = $name; $this->name = $name;
$gmt = new \DateTimeZone('GMT'); $gmt = new \DateTimeZone('GMT');
@ -75,42 +78,42 @@ class Certificate implements ICertificate {
/** /**
* @return string * @return string
*/ */
public function getName() { public function getName(): string {
return $this->name; return $this->name;
} }
/** /**
* @return string|null * @return string|null
*/ */
public function getCommonName() { public function getCommonName(): ?string {
return $this->commonName; return $this->commonName;
} }
/** /**
* @return string * @return string|null
*/ */
public function getOrganization() { public function getOrganization(): ?string {
return $this->organization; return $this->organization;
} }
/** /**
* @return \DateTime * @return \DateTime
*/ */
public function getIssueDate() { public function getIssueDate(): \DateTime {
return $this->issueDate; return $this->issueDate;
} }
/** /**
* @return \DateTime * @return \DateTime
*/ */
public function getExpireDate() { public function getExpireDate(): \DateTime {
return $this->expireDate; return $this->expireDate;
} }
/** /**
* @return bool * @return bool
*/ */
public function isExpired() { public function isExpired(): bool {
$now = new \DateTime(); $now = new \DateTime();
return $this->issueDate > $now or $now > $this->expireDate; return $this->issueDate > $now or $now > $this->expireDate;
} }
@ -118,14 +121,14 @@ class Certificate implements ICertificate {
/** /**
* @return string|null * @return string|null
*/ */
public function getIssuerName() { public function getIssuerName(): ?string {
return $this->issuerName; return $this->issuerName;
} }
/** /**
* @return string|null * @return string|null
*/ */
public function getIssuerOrganization() { public function getIssuerOrganization(): ?string {
return $this->issuerOrganization; return $this->issuerOrganization;
} }
} }

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @copyright Copyright (c) 2016, ownCloud, Inc. * @copyright Copyright (c) 2016, ownCloud, Inc.
* *
@ -30,6 +33,7 @@
namespace OC\Security; namespace OC\Security;
use OC\Files\Filesystem; use OC\Files\Filesystem;
use OCP\ICertificate;
use OCP\ICertificateManager; use OCP\ICertificateManager;
use OCP\IConfig; use OCP\IConfig;
use OCP\ILogger; use OCP\ILogger;
@ -78,7 +82,7 @@ class CertificateManager implements ICertificateManager {
* *
* @return \OCP\ICertificate[] * @return \OCP\ICertificate[]
*/ */
public function listCertificates() { public function listCertificates(): array {
if (!$this->config->getSystemValue('installed', false)) { if (!$this->config->getSystemValue('installed', false)) {
return []; return [];
} }
@ -130,7 +134,7 @@ class CertificateManager implements ICertificateManager {
/** /**
* create the certificate bundle of all trusted certificated * create the certificate bundle of all trusted certificated
*/ */
public function createCertificateBundle() { public function createCertificateBundle(): void {
$path = $this->getPathToCertificates(); $path = $this->getPathToCertificates();
$certs = $this->listCertificates(); $certs = $this->listCertificates();
@ -182,7 +186,7 @@ class CertificateManager implements ICertificateManager {
* @return \OCP\ICertificate * @return \OCP\ICertificate
* @throws \Exception If the certificate could not get added * @throws \Exception If the certificate could not get added
*/ */
public function addCertificate($certificate, $name) { public function addCertificate(string $certificate, string $name): ICertificate {
if (!Filesystem::isValidPath($name) or Filesystem::isFileBlacklisted($name)) { if (!Filesystem::isValidPath($name) or Filesystem::isFileBlacklisted($name)) {
throw new \Exception('Filename is not valid'); throw new \Exception('Filename is not valid');
} }
@ -209,7 +213,7 @@ class CertificateManager implements ICertificateManager {
* @param string $name * @param string $name
* @return bool * @return bool
*/ */
public function removeCertificate($name) { public function removeCertificate(string $name): bool {
if (!Filesystem::isValidPath($name)) { if (!Filesystem::isValidPath($name)) {
return false; return false;
} }
@ -226,7 +230,7 @@ class CertificateManager implements ICertificateManager {
* *
* @return string * @return string
*/ */
public function getCertificateBundle() { public function getCertificateBundle(): string {
return $this->getPathToCertificates() . 'rootcerts.crt'; return $this->getPathToCertificates() . 'rootcerts.crt';
} }
@ -235,7 +239,7 @@ class CertificateManager implements ICertificateManager {
* *
* @return string * @return string
*/ */
public function getAbsoluteBundlePath() { public function getAbsoluteBundlePath(): string {
if (!$this->hasCertificates()) { if (!$this->hasCertificates()) {
return \OC::$SERVERROOT . '/resources/config/ca-bundle.crt'; return \OC::$SERVERROOT . '/resources/config/ca-bundle.crt';
} }
@ -250,7 +254,7 @@ class CertificateManager implements ICertificateManager {
/** /**
* @return string * @return string
*/ */
private function getPathToCertificates() { private function getPathToCertificates(): string {
return '/files_external/'; return '/files_external/';
} }
@ -259,7 +263,7 @@ class CertificateManager implements ICertificateManager {
* *
* @return bool * @return bool
*/ */
private function needsRebundling() { private function needsRebundling(): bool {
$targetBundle = $this->getCertificateBundle(); $targetBundle = $this->getCertificateBundle();
if (!$this->view->file_exists($targetBundle)) { if (!$this->view->file_exists($targetBundle)) {
return true; return true;
@ -274,7 +278,7 @@ class CertificateManager implements ICertificateManager {
* *
* @return int * @return int
*/ */
protected function getFilemtimeOfCaBundle() { protected function getFilemtimeOfCaBundle(): int {
return filemtime(\OC::$SERVERROOT . '/resources/config/ca-bundle.crt'); return filemtime(\OC::$SERVERROOT . '/resources/config/ca-bundle.crt');
} }
} }

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @copyright Copyright (c) 2016, ownCloud, Inc. * @copyright Copyright (c) 2016, ownCloud, Inc.
* *
@ -59,11 +62,11 @@ class CredentialsManager implements ICredentialsManager {
* @param string $identifier * @param string $identifier
* @param mixed $credentials * @param mixed $credentials
*/ */
public function store($userId, $identifier, $credentials) { public function store(string $userId, string $identifier, $credentials): void {
$value = $this->crypto->encrypt(json_encode($credentials)); $value = $this->crypto->encrypt(json_encode($credentials));
$this->dbConnection->setValues(self::DB_TABLE, [ $this->dbConnection->setValues(self::DB_TABLE, [
'user' => (string)$userId, 'user' => $userId,
'identifier' => $identifier, 'identifier' => $identifier,
], [ ], [
'credentials' => $value, 'credentials' => $value,
@ -77,7 +80,7 @@ class CredentialsManager implements ICredentialsManager {
* @param string $identifier * @param string $identifier
* @return mixed * @return mixed
*/ */
public function retrieve($userId, $identifier) { public function retrieve(string $userId, string $identifier) {
$qb = $this->dbConnection->getQueryBuilder(); $qb = $this->dbConnection->getQueryBuilder();
$qb->select('credentials') $qb->select('credentials')
->from(self::DB_TABLE) ->from(self::DB_TABLE)
@ -86,7 +89,7 @@ class CredentialsManager implements ICredentialsManager {
if ($userId === '') { if ($userId === '') {
$qb->andWhere($qb->expr()->emptyString('user')); $qb->andWhere($qb->expr()->emptyString('user'));
} else { } else {
$qb->andWhere($qb->expr()->eq('user', $qb->createNamedParameter((string)$userId))); $qb->andWhere($qb->expr()->eq('user', $qb->createNamedParameter($userId)));
} }
$qResult = $qb->execute(); $qResult = $qb->execute();
@ -108,7 +111,7 @@ class CredentialsManager implements ICredentialsManager {
* @param string $identifier * @param string $identifier
* @return int rows removed * @return int rows removed
*/ */
public function delete($userId, $identifier) { public function delete(string $userId, string $identifier): int {
$qb = $this->dbConnection->getQueryBuilder(); $qb = $this->dbConnection->getQueryBuilder();
$qb->delete(self::DB_TABLE) $qb->delete(self::DB_TABLE)
->where($qb->expr()->eq('identifier', $qb->createNamedParameter($identifier))); ->where($qb->expr()->eq('identifier', $qb->createNamedParameter($identifier)));
@ -116,7 +119,7 @@ class CredentialsManager implements ICredentialsManager {
if ($userId === '') { if ($userId === '') {
$qb->andWhere($qb->expr()->emptyString('user')); $qb->andWhere($qb->expr()->emptyString('user'));
} else { } else {
$qb->andWhere($qb->expr()->eq('user', $qb->createNamedParameter((string)$userId))); $qb->andWhere($qb->expr()->eq('user', $qb->createNamedParameter($userId)));
} }
return $qb->execute(); return $qb->execute();
@ -128,7 +131,7 @@ class CredentialsManager implements ICredentialsManager {
* @param string $userId * @param string $userId
* @return int rows removed * @return int rows removed
*/ */
public function erase($userId) { public function erase(string $userId): int {
$qb = $this->dbConnection->getQueryBuilder(); $qb = $this->dbConnection->getQueryBuilder();
$qb->delete(self::DB_TABLE) $qb->delete(self::DB_TABLE)
->where($qb->expr()->eq('user', $qb->createNamedParameter($userId))) ->where($qb->expr()->eq('user', $qb->createNamedParameter($userId)))

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @copyright Copyright (c) 2016, ownCloud, Inc. * @copyright Copyright (c) 2016, ownCloud, Inc.
* *
@ -51,7 +54,7 @@ class TrustedDomainHelper {
* @param string $host * @param string $host
* @return string $host without appended port * @return string $host without appended port
*/ */
private function getDomainWithoutPort($host) { private function getDomainWithoutPort(string $host): string {
$pos = strrpos($host, ':'); $pos = strrpos($host, ':');
if ($pos !== false) { if ($pos !== false) {
$port = substr($host, $pos + 1); $port = substr($host, $pos + 1);
@ -71,7 +74,7 @@ class TrustedDomainHelper {
* @return bool true if the given domain is trusted or if no trusted domains * @return bool true if the given domain is trusted or if no trusted domains
* have been configured * have been configured
*/ */
public function isTrustedDomain($domainWithPort) { public function isTrustedDomain(string $domainWithPort): bool {
// overwritehost is always trusted // overwritehost is always trusted
if ($this->config->getSystemValue('overwritehost') !== '') { if ($this->config->getSystemValue('overwritehost') !== '') {
return true; return true;

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @copyright Copyright (c) 2016, ownCloud, Inc. * @copyright Copyright (c) 2016, ownCloud, Inc.
* *
@ -33,47 +36,47 @@ interface ICertificate {
* @return string * @return string
* @since 8.0.0 * @since 8.0.0
*/ */
public function getName(); public function getName(): string;
/** /**
* @return string * @return string|null
* @since 8.0.0 * @since 8.0.0
*/ */
public function getCommonName(); public function getCommonName(): ?string;
/** /**
* @return string * @return string|null
* @since 8.0.0 * @since 8.0.0
*/ */
public function getOrganization(); public function getOrganization(): ?string;
/** /**
* @return \DateTime * @return \DateTime
* @since 8.0.0 * @since 8.0.0
*/ */
public function getIssueDate(); public function getIssueDate(): \DateTime;
/** /**
* @return \DateTime * @return \DateTime
* @since 8.0.0 * @since 8.0.0
*/ */
public function getExpireDate(); public function getExpireDate(): \DateTime;
/** /**
* @return bool * @return bool
* @since 8.0.0 * @since 8.0.0
*/ */
public function isExpired(); public function isExpired(): bool;
/** /**
* @return string * @return string|null
* @since 8.0.0 * @since 8.0.0
*/ */
public function getIssuerName(); public function getIssuerName(): ?string;
/** /**
* @return string * @return string|null
* @since 8.0.0 * @since 8.0.0
*/ */
public function getIssuerOrganization(); public function getIssuerOrganization(): ?string;
} }

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @copyright Copyright (c) 2016, ownCloud, Inc. * @copyright Copyright (c) 2016, ownCloud, Inc.
* *
@ -35,7 +38,7 @@ interface ICertificateManager {
* @return \OCP\ICertificate[] * @return \OCP\ICertificate[]
* @since 8.0.0 * @since 8.0.0
*/ */
public function listCertificates(); public function listCertificates(): array;
/** /**
* @param string $certificate the certificate data * @param string $certificate the certificate data
@ -44,13 +47,14 @@ interface ICertificateManager {
* @throws \Exception If the certificate could not get added * @throws \Exception If the certificate could not get added
* @since 8.0.0 - since 8.1.0 throws exception instead of returning false * @since 8.0.0 - since 8.1.0 throws exception instead of returning false
*/ */
public function addCertificate($certificate, $name); public function addCertificate(string $certificate, string $name): \OCP\ICertificate;
/** /**
* @param string $name * @param string $name
* @return bool
* @since 8.0.0 * @since 8.0.0
*/ */
public function removeCertificate($name); public function removeCertificate(string $name): bool;
/** /**
* Get the path to the certificate bundle * Get the path to the certificate bundle
@ -58,7 +62,7 @@ interface ICertificateManager {
* @return string * @return string
* @since 8.0.0 * @since 8.0.0
*/ */
public function getCertificateBundle(); public function getCertificateBundle(): string;
/** /**
* Get the full local path to the certificate bundle * Get the full local path to the certificate bundle
@ -66,5 +70,5 @@ interface ICertificateManager {
* @return string * @return string
* @since 9.0.0 * @since 9.0.0
*/ */
public function getAbsoluteBundlePath(); public function getAbsoluteBundlePath(): string;
} }

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @copyright Copyright (c) 2016, ownCloud, Inc. * @copyright Copyright (c) 2016, ownCloud, Inc.
* *

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @copyright Copyright (c) 2016, ownCloud, Inc. * @copyright Copyright (c) 2016, ownCloud, Inc.
* *
@ -38,7 +41,7 @@ interface ICredentialsManager {
* @param mixed $credentials * @param mixed $credentials
* @since 8.2.0 * @since 8.2.0
*/ */
public function store($userId, $identifier, $credentials); public function store(string $userId, string $identifier, $credentials): void;
/** /**
* Retrieve a set of credentials * Retrieve a set of credentials
@ -48,7 +51,7 @@ interface ICredentialsManager {
* @return mixed * @return mixed
* @since 8.2.0 * @since 8.2.0
*/ */
public function retrieve($userId, $identifier); public function retrieve(string $userId, string $identifier);
/** /**
* Delete a set of credentials * Delete a set of credentials
@ -58,7 +61,7 @@ interface ICredentialsManager {
* @return int rows removed * @return int rows removed
* @since 8.2.0 * @since 8.2.0
*/ */
public function delete($userId, $identifier); public function delete(string $userId, string $identifier): int;
/** /**
* Erase all credentials stored for a user * Erase all credentials stored for a user
@ -67,5 +70,5 @@ interface ICredentialsManager {
* @return int rows removed * @return int rows removed
* @since 8.2.0 * @since 8.2.0
*/ */
public function erase($userId); public function erase(string $userId): int;
} }

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @copyright Copyright (c) 2017 Roeland Jago Douma <roeland@famdouma.nl> * @copyright Copyright (c) 2017 Roeland Jago Douma <roeland@famdouma.nl>
* *

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch> * @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
* *

View File

@ -1,6 +1,7 @@
<?php <?php
declare(strict_types=1); declare(strict_types=1);
/** /**
* @copyright Copyright (c) 2019, Roeland Jago Douma <roeland@famdouma.nl> * @copyright Copyright (c) 2019, Roeland Jago Douma <roeland@famdouma.nl>
* *

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @author Lukas Reschke <lukas@owncloud.com> * @author Lukas Reschke <lukas@owncloud.com>
* *

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch> * @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
* *

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @author Lukas Reschke <lukas@owncloud.com> * @author Lukas Reschke <lukas@owncloud.com>
* *

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @author Lukas Reschke <lukas@owncloud.com> * @author Lukas Reschke <lukas@owncloud.com>
* *

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @author Lukas Reschke <lukas@owncloud.com> * @author Lukas Reschke <lukas@owncloud.com>
* *

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @author Lukas Reschke <lukas@owncloud.com> * @author Lukas Reschke <lukas@owncloud.com>
* *

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* Copyright (c) 2014 Lukas Reschke <lukas@owncloud.com> * Copyright (c) 2014 Lukas Reschke <lukas@owncloud.com>
* This file is licensed under the Affero General Public License version 3 or * This file is licensed under the Affero General Public License version 3 or

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @author Lukas Reschke <lukas@owncloud.com> * @author Lukas Reschke <lukas@owncloud.com>
* *

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @author Robin McCorkell <rmccorkell@owncloud.com> * @author Robin McCorkell <rmccorkell@owncloud.com>
* *

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* Copyright (c) 2014 Lukas Reschke <lukas@owncloud.com> * Copyright (c) 2014 Lukas Reschke <lukas@owncloud.com>
* This file is licensed under the Affero General Public License version 3 or * This file is licensed under the Affero General Public License version 3 or

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* Copyright (c) 2014 Lukas Reschke <lukas@owncloud.com> * Copyright (c) 2014 Lukas Reschke <lukas@owncloud.com>
* This file is licensed under the Affero General Public License version 3 or * This file is licensed under the Affero General Public License version 3 or

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @copyright 2016, Roeland Jago Douma <roeland@famdouma.nl> * @copyright 2016, Roeland Jago Douma <roeland@famdouma.nl>
* *

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch> * @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
* *

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @copyright 2016, Roeland Jago Douma <roeland@famdouma.nl> * @copyright 2016, Roeland Jago Douma <roeland@famdouma.nl>
* *

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
* *

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
* *

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
* *

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* Copyright (c) 2014 Lukas Reschke <lukas@owncloud.com> * Copyright (c) 2014 Lukas Reschke <lukas@owncloud.com>
* This file is licensed under the Affero General Public License version 3 or * This file is licensed under the Affero General Public License version 3 or

View File

@ -1,4 +1,7 @@
<?php <?php
declare(strict_types=1);
/** /**
* Copyright (c) 2015 Lukas Reschke <lukas@owncloud.com> * Copyright (c) 2015 Lukas Reschke <lukas@owncloud.com>
* This file is licensed under the Affero General Public License version 3 or * This file is licensed under the Affero General Public License version 3 or