This adds a phan plugin which checks for SQL injections on code using our QueryBuilder, while it isn't perfect it should already catch most potential issues.
As always, static analysis will sometimes have false positives and this is also here the case. So in some cases the analyzer just doesn't know if something is potential user input or not, thus I had to add some `@suppress SqlInjectionChecker` in front of those potential injections.
The Phan plugin hasn't the most awesome code but it works and I also added a file with test cases.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Running the acceptance tests on Drone relied on the pod-style networking
used by services (service containers were available at 127.0.0.1 from
the build containers). However, in Drone 0.7 service and build
containers must be accessed from each other using their domain name
instead. Thus, acceptance tests had to be disabled on Drone.
Now that the acceptance test system supports setting a different domain
for the Selenium server and for the Nextcloud test server the acceptance
tests can be enabled again on Drone.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Previously this container used a very old CentOS version. It has been migrated to Debian Jessie now using the deb.sury.org repositories.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Fix service container host name
check current folder
fix redis for integration test
Fix more hostnames
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
Sometimes, acceptance tests run by Drone fail due to a timeout when
starting the web browser sessions. Increasing the timeout should
minimize the possibility of the failure happening, although it can not
guarantee that it will not happen. A timeout multiplier of 10 was set
just because it looks like a reasonable margin of time, although it is
not based on any hard data.
The timeout multiplier affects too the timeout used when finding
elements. Like when starting a session, increasing the find timeout
simply gives the acceptance tests more time to find the objects before
giving up, so it does not change their behaviour when successful and can
also prevent failures due to default timeouts being too low for a
strained system.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
As the script modifies the Git repository a safety parameter was added
to prevent running it by mistake and messing with the local copy of the
repository.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Instead of running an additional Drone service with the Nextcloud server
now the Nextcloud server is run in the same Drone step as the acceptance
tests themselves using the PHP built-in web server.
Thanks to this, the Nextcloud server control is no longer needed, as the
acceptance tests can now directly reset, start and stop the Nextcloud
server. Also, the "nextcloudci/php7.0:php7.0-7" image provides
everything needed to run and manage the Nextcloud server (including the
Git command used to restore the directory to a saved state), so the
custom image is no longer needed either.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Each acceptance test feature is run in its own Drone step. The container
of the step runs the acceptance tests themselves, but they require two
additional Drone services. One service provides the Selenium server that
performs the web browser actions specified by the tests, and the other
service provides the Nextcloud server that the tests will be run
against (due to security concerns the acceptance tests themselves can
not create Docker containers for the Nextcloud server as done when
running them in a local system, as if Drone containers had access to
Docker a malicious pull request could be used to take over the Drone
server).
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
This allows adding rate limiting via annotations to controllers, as one example:
```
@UserRateThrottle(limit=5, period=100)
@AnonRateThrottle(limit=1, period=100)
```
Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Since the tests to quite hugely rely on sync tokens being present I also included those in the legacy backend.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This adds the "QUICKDB" group which excludes some tests that abuse unit tests as integration tests as displayed in https://github.com/nextcloud/server/issues/1626
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Should give us some quicker test execution speed as we're not limited by Travis
Explicitly invoke with "bash"
Install instance already
Use newest litmus container