Commit Graph

56277 Commits

Author SHA1 Message Date
Morris Jobke 6811274cfd
Merge pull request #24246 from LukasReschke/add-taint-flow-analysis
Add Psalm Security Analysis
2020-11-21 00:04:37 +01:00
Lukas Reschke 47ac8e0028
Add Psalm Taint Flow Analysis
This adds the Psalm Security Analysis, as described at
https://psalm.dev/docs/security_analysis/

It also adds a plugin for adding input into AppFramework.

The results can be viewed in the GitHub Security tab at
https://github.com/nextcloud/server/security/code-scanning

**Q&A:**

Q: Why do you not use the shipped Psalm version?
A: I do a lot of changes to the Psalm Taint behaviour. Using released
versions is not gonna get us the results we want.

Q: How do I improve false positives?
A: https://psalm.dev/docs/security_analysis/avoiding_false_positives/

Q: How do I add custom sources?
A: https://psalm.dev/docs/security_analysis/custom_taint_sources/

Q: We should run this on apps!
A: Yes.

Q: What will change in Psalm?
A: Quite some of the PHP core functions are not yet marked to propagate
the taint. This leads to results where the taint flow is lost. That's
something that I am currently working on.

Q: Why is the plugin MIT licensed?
A: Because its the first of its kind (based on GitHub Code Search) and
I want other people to copy it if they want to. Security is for all :)

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2020-11-20 23:12:00 +01:00
Morris Jobke c31e4266c7
Merge pull request #24257 from nextcloud/nc-comments
Simple typo in comments
2020-11-20 20:42:40 +01:00
Morris Jobke 1448b7c923
Merge pull request #24242 from essys/patch-1
Update ScanLegacyFormat.php
2020-11-20 20:39:49 +01:00
Morris Jobke a06111e1eb
Merge pull request #24254 from nextcloud/enh/lint_php8
Also lint php8
2020-11-20 20:33:21 +01:00
Carlos Ferreira a42eb05a35
Simple typo in comments 2020-11-20 20:01:28 +01:00
Roeland Jago Douma 12f322d804
Also lint php8
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-20 16:49:09 +01:00
Morris Jobke 691409cdec
Merge pull request #24062 from nextcloud/revert-24060-revert-24039-faster-installation
Revert "Revert "Installation goes brrrr""
2020-11-20 15:02:51 +01:00
Roeland Jago Douma 7fd7601016
Merge pull request #24241 from nextcloud/enh/harden_EncryptionLegacyCipher_repair
Harden EncryptionLegacyCipher a bit
2020-11-20 14:15:45 +01:00
Roeland Jago Douma 0d30047ac6
Merge pull request #24243 from nextcloud/techdebt/composer-require-libxml
Require libxml in composer
2020-11-20 14:13:29 +01:00
Christoph Wurst 0af22a64cb
Require xmlreader via composer
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-11-20 11:29:50 +01:00
Christoph Wurst 6ae2fe941f
Require libxml in composer
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-11-20 11:08:37 +01:00
essys fdcfc4edce
Update ScanLegacyFormat.php
Fixed a small typo on line 99.
2020-11-20 10:16:35 +01:00
Roeland Jago Douma f8a2c08c41
Merge pull request #24234 from nextcloud/dependabot/composer/vimeo/psalm-4.2.0
Bump vimeo/psalm from 4.1.1 to 4.2.0
2020-11-20 10:03:01 +01:00
Roeland Jago Douma b71803802c
Harden EncryptionLegacyCipher a bit
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-20 09:52:55 +01:00
dependabot-preview[bot] 774350c610
Bump vimeo/psalm from 4.1.1 to 4.2.0
Bumps [vimeo/psalm](https://github.com/vimeo/psalm) from 4.1.1 to 4.2.0.
- [Release notes](https://github.com/vimeo/psalm/releases)
- [Commits](https://github.com/vimeo/psalm/compare/4.1.1...4.2.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-11-20 09:07:01 +01:00
Roeland Jago Douma e794d1f5d8
Merge pull request #24235 from nextcloud-pr-bot/automated/noid/psalm-baseline-update
[Automated] Update psalm-baseline.xml
2020-11-20 08:09:28 +01:00
Nextcloud-PR-Bot c4e8c1bdcd Update psalm baseline
Signed-off-by: GitHub <noreply@github.com>
2020-11-20 04:24:06 +00:00
Nextcloud bot 285570f546
[tx-robot] updated from transifex 2020-11-20 02:20:07 +00:00
Morris Jobke 46f406a8be
Merge pull request #24017 from nextcloud/enh/share_expiration
Make the expire shares cron job actually expire the shares
2020-11-19 23:20:47 +01:00
Morris Jobke 700449882a
Merge pull request #24203 from nextcloud/enh/search_regex_file_shares
Use regex when searching on single file shares
2020-11-19 23:18:48 +01:00
Morris Jobke 568762a5a5
Merge pull request #24211 from nextcloud/bugfix/noid/theming-image
Fix setting images through occ for theming
2020-11-19 23:16:42 +01:00
Morris Jobke 1b613c84e9
Merge pull request #24007 from nextcloud/select-distinct-multiple
allow selecting multiple columns with SELECT DISTINCT
2020-11-19 22:39:01 +01:00
Morris Jobke c2510ecae9
Merge pull request #24103 from nextcloud/bugfix/noid/groupfolder-share-object-storage
Only check path for being accessible when the storage is a object home
2020-11-19 22:37:28 +01:00
Morris Jobke 650ffc587f
Merge pull request #24164 from nextcloud/fix/lazy-app-registration
Allow lazy app registration
2020-11-19 22:35:09 +01:00
Morris Jobke bf23555b8b
Merge pull request #24094 from nextcloud/bugfix/noid/trash-appdata
Only attempt to move to trash if a file is not in appdata
2020-11-19 22:29:23 +01:00
Morris Jobke 33bceacc82
Merge pull request #24225 from nextcloud/enh/dataresponse_typehints
Fix DataResponse typehints
2020-11-19 21:33:46 +01:00
Roeland Jago Douma 1e111b2ad2
Fix DataResponse typehints
We use this already in several places where we just pass strings or
numbers.
This all works because we just convert it to a json response in the end.
So better to have the typehints reflect this.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-19 20:34:42 +01:00
Roeland Jago Douma 220bc1f218
Make the expire shares cron job actually expire the shares
Right now we just delete the shares from the DB. Which is efficient
sure. But doesn't trigger any real cleanup. So no Admin audit entries or
any other post processing is done.

This makes sure we really trigger this.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-19 10:51:51 +01:00
Roeland Jago Douma d602aa1825
Merge pull request #24135 from medical-cloud/fix/23357-nextcloud-logo-in-email-notifications-is-misaligned-in-version-20
Fix nextcloud logo in email notifications misalignment
2020-11-19 10:48:18 +01:00
Roeland Jago Douma eab4f3dc76
Limit shared cache search if it is just a file
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-19 09:15:02 +01:00
Christoph Wurst ecbc7f62be
Merge pull request #24207 from nextcloud/bugfix/noid/missing-level-psrlogged
missing level in ScopedPsrLogger
2020-11-19 08:38:05 +01:00
Julius Härtl 9b7bdfef79
Fix setting images through occ for theming
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2020-11-19 08:31:24 +01:00
Nextcloud bot c773cee305
[tx-robot] updated from transifex 2020-11-19 02:20:10 +00:00
medcloud 87ec4a0da3 Fix #23357
Signed-off-by: medcloud <42641918+medcloud@users.noreply.github.com>
2020-11-18 22:29:02 +01:00
Maxence Lange a0d9b15a80 missing level
Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
2020-11-18 18:30:07 -01:00
Roeland Jago Douma 66013f906d
Merge pull request #24189 from nextcloud/enh/csp/frame-ancestors
Set frame-ancestors to none if none are filled
2020-11-18 11:29:28 +01:00
Roeland Jago Douma 884c80053a
Merge pull request #24198 from nextcloud/bugfix/noid/no-fs-setup-dashboard
Only setup filesystem if needed for dashboard background service
2020-11-18 11:28:52 +01:00
Christoph Wurst 5eaeba49aa
Merge pull request #24186 from nextcloud/enh/password_to_post
Move the password fiels of chaging passwords to post
2020-11-18 10:19:30 +01:00
Roeland Jago Douma 9163790b7c
Set frame-ancestors to none if none are filled
frame-ancestors doesn't fall back to default-src. So when we apply a
very restricted CSP we should make sure to set it to 'none' and not
leave it empty.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-18 10:13:36 +01:00
Julius Härtl e904da9d7a
Only setup filesystem if needed for dashboard background service
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2020-11-18 09:03:56 +01:00
Christoph Wurst 3cf39c573f
Allow lazy app registration
During app installation we run migration steps. Those steps may use
services the app registers or classes from composer. Hence we have to
make sure the app runs through the registration.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-11-18 08:48:45 +01:00
Nextcloud bot b5ba1dec5d
[tx-robot] updated from transifex 2020-11-18 02:18:36 +00:00
Roeland Jago Douma 3c334b11f5
Merge pull request #21716 from nextcloud/td/remove/irouter_cleanup
Remove some IRouter methods
2020-11-17 21:53:49 +01:00
Roeland Jago Douma 0f1cc78389
Merge pull request #24188 from nextcloud/enh/password_external_post
Move the global password for files external to post
2020-11-17 19:56:03 +01:00
Julius Härtl 400958cb50
Merge pull request #24192 from nextcloud/dependachristoph/npm_and_yarn/jquery-3.3
Bump jquery from 3.2 to 3.3
2020-11-17 19:42:03 +01:00
Christoph Wurst 6d204adbac
Bump jquery from 3.2 to 3.3
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-11-17 18:28:25 +01:00
Christoph Wurst 7ba3654d36
Merge pull request #24179 from nextcloud/dependachristoph/npm_and_yarn/jquery-3.2
Bump jquery from 3.1 to 3.2
2020-11-17 16:57:12 +01:00
Roeland Jago Douma 97a1098d4d
Move the global password for files external to post
Again more false positives in some scanners

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-17 16:14:21 +01:00
Roeland Jago Douma 644e7a2085
Move the password fiels of chaging passwords to post
* This is not actually used with GET (obviously). But else some scanners
  trip on it

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-17 16:10:18 +01:00