Commit Graph

56599 Commits

Author SHA1 Message Date
Roeland Jago Douma e0a6f6d34b
Merge pull request #24251 from nextcloud/fix/sabre-parse-xml-errors
Update sabre/xml to fix XML parsing errors (with empty strings)
2020-11-23 10:28:06 +01:00
dependabot-preview[bot] f8af508907 Bump moment-timezone from 0.5.31 to 0.5.32
Bumps [moment-timezone](https://github.com/moment/moment-timezone) from 0.5.31 to 0.5.32.
- [Release notes](https://github.com/moment/moment-timezone/releases)
- [Changelog](https://github.com/moment/moment-timezone/blob/develop/changelog.md)
- [Commits](https://github.com/moment/moment-timezone/compare/0.5.31...0.5.32)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: npmbuildbot-nextcloud[bot] <npmbuildbot-nextcloud[bot]@users.noreply.github.com>
2020-11-23 08:23:42 +00:00
Christoph Wurst a35a9a009d
Update sabre/xml to fix XML parsing errors (with empty strings)
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-11-23 09:13:46 +01:00
Roeland Jago Douma a1cd5ca20c
Merge pull request #24290 from nextcloud/propagate-taint
Add IRequest taint sources
2020-11-23 08:40:14 +01:00
Roeland Jago Douma ad5059a39e
Merge pull request #24293 from nextcloud/dependabot/composer/vimeo/psalm-4.2.1
Bump vimeo/psalm from 4.2.0 to 4.2.1
2020-11-23 08:03:07 +01:00
dependabot-preview[bot] 942cd71055
Bump vimeo/psalm from 4.2.0 to 4.2.1
Bumps [vimeo/psalm](https://github.com/vimeo/psalm) from 4.2.0 to 4.2.1.
- [Release notes](https://github.com/vimeo/psalm/releases)
- [Commits](https://github.com/vimeo/psalm/compare/4.2.0...4.2.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-11-23 02:42:54 +00:00
Nextcloud bot 6b9f57905f
[tx-robot] updated from transifex 2020-11-23 02:18:46 +00:00
Lukas Reschke a5d4d3d4cc
Add IRequest taint sources
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2020-11-22 23:04:43 +01:00
Morris Jobke efe644137d
[encryption] Remove dependency fetching inside the constructor and move them to method call parameters
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-11-22 22:35:02 +01:00
Morris Jobke 9a0428835f
Merge pull request #24267 from nextcloud/techdebt/noid/auto-wire-encryption-app-view-dependent
Auto-wire remaining encryption app services that depend on View
2020-11-22 22:33:53 +01:00
Morris Jobke 858c7f4032
Auto-wire remaining encryption app services that depend on View
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-11-22 22:22:16 +01:00
Roeland Jago Douma 032de4f333
Merge pull request #24269 from nextcloud/taint-specialize
Mark getAppPath as specialized taint
2020-11-22 13:39:46 +01:00
Roeland Jago Douma 293410f576
Merge pull request #24268 from nextcloud/add-app-as-sanitizer-for-include
Mark cleanAppId as sanitizer for include
2020-11-22 10:53:26 +01:00
Nextcloud bot f1d71a21e5
[tx-robot] updated from transifex 2020-11-22 02:18:27 +00:00
John Molakvoæ e1821f36d9
Merge pull request #24276 from nextcloud/dependabot/npm_and_yarn/vue-material-design-icons-4.11.0
Bump vue-material-design-icons from 4.10.0 to 4.11.0
2020-11-21 11:11:28 +01:00
dependabot-preview[bot] 1cde362c2e
Bump vue-material-design-icons from 4.10.0 to 4.11.0
Bumps [vue-material-design-icons](https://github.com/robcresswell/vue-material-design-icons) from 4.10.0 to 4.11.0.
- [Release notes](https://github.com/robcresswell/vue-material-design-icons/releases)
- [Changelog](https://github.com/robcresswell/vue-material-design-icons/blob/dev/CHANGELOG.md)
- [Commits](https://github.com/robcresswell/vue-material-design-icons/compare/4.10.0...4.11.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-11-21 02:20:25 +00:00
Nextcloud bot 1859cebe56
[tx-robot] updated from transifex 2020-11-21 02:19:19 +00:00
Lukas Reschke d25ca1976b Mark getAppPath as specialized taint
Should remove some false positives.

https://psalm.dev/docs/security_analysis/avoiding_false_positives/

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2020-11-21 01:15:15 +00:00
Lukas Reschke 98ddfdd1e8 Mark cleanAppId as sanitizer for include
Should remove a bunch of false positive code scanning results.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2020-11-21 00:57:25 +00:00
Morris Jobke e606c0eef4
Allow View to be used via DI
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-11-21 00:18:59 +01:00
Morris Jobke db3a3bee37
Merge pull request #24064 from nextcloud/techdebt/noid/auto-wire-encryption-app
Auto-wire as much as possible in the encryption app
2020-11-21 00:04:54 +01:00
Morris Jobke 6811274cfd
Merge pull request #24246 from LukasReschke/add-taint-flow-analysis
Add Psalm Security Analysis
2020-11-21 00:04:37 +01:00
Morris Jobke 5be18215fb
Auto-wire as much as possible in the encryption app
Also cleans up only non-classname services in the server container

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-11-20 23:13:22 +01:00
Lukas Reschke 47ac8e0028
Add Psalm Taint Flow Analysis
This adds the Psalm Security Analysis, as described at
https://psalm.dev/docs/security_analysis/

It also adds a plugin for adding input into AppFramework.

The results can be viewed in the GitHub Security tab at
https://github.com/nextcloud/server/security/code-scanning

**Q&A:**

Q: Why do you not use the shipped Psalm version?
A: I do a lot of changes to the Psalm Taint behaviour. Using released
versions is not gonna get us the results we want.

Q: How do I improve false positives?
A: https://psalm.dev/docs/security_analysis/avoiding_false_positives/

Q: How do I add custom sources?
A: https://psalm.dev/docs/security_analysis/custom_taint_sources/

Q: We should run this on apps!
A: Yes.

Q: What will change in Psalm?
A: Quite some of the PHP core functions are not yet marked to propagate
the taint. This leads to results where the taint flow is lost. That's
something that I am currently working on.

Q: Why is the plugin MIT licensed?
A: Because its the first of its kind (based on GitHub Code Search) and
I want other people to copy it if they want to. Security is for all :)

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2020-11-20 23:12:00 +01:00
Morris Jobke c31e4266c7
Merge pull request #24257 from nextcloud/nc-comments
Simple typo in comments
2020-11-20 20:42:40 +01:00
Morris Jobke 1448b7c923
Merge pull request #24242 from essys/patch-1
Update ScanLegacyFormat.php
2020-11-20 20:39:49 +01:00
Morris Jobke a06111e1eb
Merge pull request #24254 from nextcloud/enh/lint_php8
Also lint php8
2020-11-20 20:33:21 +01:00
Carlos Ferreira a42eb05a35
Simple typo in comments 2020-11-20 20:01:28 +01:00
Roeland Jago Douma 12f322d804
Also lint php8
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-20 16:49:09 +01:00
Morris Jobke 691409cdec
Merge pull request #24062 from nextcloud/revert-24060-revert-24039-faster-installation
Revert "Revert "Installation goes brrrr""
2020-11-20 15:02:51 +01:00
Roeland Jago Douma 7fd7601016
Merge pull request #24241 from nextcloud/enh/harden_EncryptionLegacyCipher_repair
Harden EncryptionLegacyCipher a bit
2020-11-20 14:15:45 +01:00
Roeland Jago Douma 0d30047ac6
Merge pull request #24243 from nextcloud/techdebt/composer-require-libxml
Require libxml in composer
2020-11-20 14:13:29 +01:00
Christoph Wurst 0af22a64cb
Require xmlreader via composer
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-11-20 11:29:50 +01:00
Christoph Wurst 6ae2fe941f
Require libxml in composer
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-11-20 11:08:37 +01:00
essys fdcfc4edce
Update ScanLegacyFormat.php
Fixed a small typo on line 99.
2020-11-20 10:16:35 +01:00
Roeland Jago Douma f8a2c08c41
Merge pull request #24234 from nextcloud/dependabot/composer/vimeo/psalm-4.2.0
Bump vimeo/psalm from 4.1.1 to 4.2.0
2020-11-20 10:03:01 +01:00
Roeland Jago Douma b71803802c
Harden EncryptionLegacyCipher a bit
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-20 09:52:55 +01:00
dependabot-preview[bot] 774350c610
Bump vimeo/psalm from 4.1.1 to 4.2.0
Bumps [vimeo/psalm](https://github.com/vimeo/psalm) from 4.1.1 to 4.2.0.
- [Release notes](https://github.com/vimeo/psalm/releases)
- [Commits](https://github.com/vimeo/psalm/compare/4.1.1...4.2.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-11-20 09:07:01 +01:00
Roeland Jago Douma e794d1f5d8
Merge pull request #24235 from nextcloud-pr-bot/automated/noid/psalm-baseline-update
[Automated] Update psalm-baseline.xml
2020-11-20 08:09:28 +01:00
Nextcloud-PR-Bot c4e8c1bdcd Update psalm baseline
Signed-off-by: GitHub <noreply@github.com>
2020-11-20 04:24:06 +00:00
Nextcloud bot 285570f546
[tx-robot] updated from transifex 2020-11-20 02:20:07 +00:00
Morris Jobke 46f406a8be
Merge pull request #24017 from nextcloud/enh/share_expiration
Make the expire shares cron job actually expire the shares
2020-11-19 23:20:47 +01:00
Morris Jobke 700449882a
Merge pull request #24203 from nextcloud/enh/search_regex_file_shares
Use regex when searching on single file shares
2020-11-19 23:18:48 +01:00
Morris Jobke 568762a5a5
Merge pull request #24211 from nextcloud/bugfix/noid/theming-image
Fix setting images through occ for theming
2020-11-19 23:16:42 +01:00
Morris Jobke 1b613c84e9
Merge pull request #24007 from nextcloud/select-distinct-multiple
allow selecting multiple columns with SELECT DISTINCT
2020-11-19 22:39:01 +01:00
Morris Jobke c2510ecae9
Merge pull request #24103 from nextcloud/bugfix/noid/groupfolder-share-object-storage
Only check path for being accessible when the storage is a object home
2020-11-19 22:37:28 +01:00
Morris Jobke 650ffc587f
Merge pull request #24164 from nextcloud/fix/lazy-app-registration
Allow lazy app registration
2020-11-19 22:35:09 +01:00
Morris Jobke bf23555b8b
Merge pull request #24094 from nextcloud/bugfix/noid/trash-appdata
Only attempt to move to trash if a file is not in appdata
2020-11-19 22:29:23 +01:00
Morris Jobke 33bceacc82
Merge pull request #24225 from nextcloud/enh/dataresponse_typehints
Fix DataResponse typehints
2020-11-19 21:33:46 +01:00
Roeland Jago Douma 1e111b2ad2
Fix DataResponse typehints
We use this already in several places where we just pass strings or
numbers.
This all works because we just convert it to a json response in the end.
So better to have the typehints reflect this.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-19 20:34:42 +01:00