a5d4d3d4cc
Add IRequest taint sources
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2020-11-22 23:04:43 +01:00
9a0428835f
Merge pull request #24267 from nextcloud/techdebt/noid/auto-wire-encryption-app-view-dependent
...
Auto-wire remaining encryption app services that depend on View
2020-11-22 22:33:53 +01:00
032de4f333
Merge pull request #24269 from nextcloud/taint-specialize
...
Mark getAppPath as specialized taint
2020-11-22 13:39:46 +01:00
d25ca1976b
Mark getAppPath as specialized taint
...
Should remove some false positives.
https://psalm.dev/docs/security_analysis/avoiding_false_positives/
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2020-11-21 01:15:15 +00:00
98ddfdd1e8
Mark cleanAppId as sanitizer for include
...
Should remove a bunch of false positive code scanning results.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2020-11-21 00:57:25 +00:00
e606c0eef4
Allow View to be used via DI
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-11-21 00:18:59 +01:00
db3a3bee37
Merge pull request #24064 from nextcloud/techdebt/noid/auto-wire-encryption-app
...
Auto-wire as much as possible in the encryption app
2020-11-21 00:04:54 +01:00
6811274cfd
Merge pull request #24246 from LukasReschke/add-taint-flow-analysis
...
Add Psalm Security Analysis
2020-11-21 00:04:37 +01:00
5be18215fb
Auto-wire as much as possible in the encryption app
...
Also cleans up only non-classname services in the server container
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-11-20 23:13:22 +01:00
47ac8e0028
Add Psalm Taint Flow Analysis
...
This adds the Psalm Security Analysis, as described at
https://psalm.dev/docs/security_analysis/
It also adds a plugin for adding input into AppFramework.
The results can be viewed in the GitHub Security tab at
https://github.com/nextcloud/server/security/code-scanning
**Q&A:**
Q: Why do you not use the shipped Psalm version?
A: I do a lot of changes to the Psalm Taint behaviour. Using released
versions is not gonna get us the results we want.
Q: How do I improve false positives?
A: https://psalm.dev/docs/security_analysis/avoiding_false_positives/
Q: How do I add custom sources?
A: https://psalm.dev/docs/security_analysis/custom_taint_sources/
Q: We should run this on apps!
A: Yes.
Q: What will change in Psalm?
A: Quite some of the PHP core functions are not yet marked to propagate
the taint. This leads to results where the taint flow is lost. That's
something that I am currently working on.
Q: Why is the plugin MIT licensed?
A: Because its the first of its kind (based on GitHub Code Search) and
I want other people to copy it if they want to. Security is for all :)
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2020-11-20 23:12:00 +01:00
a42eb05a35
Simple typo in comments
2020-11-20 20:01:28 +01:00
691409cdec
Merge pull request #24062 from nextcloud/revert-24060-revert-24039-faster-installation
...
Revert "Revert "Installation goes brrrr""
2020-11-20 15:02:51 +01:00
b71803802c
Harden EncryptionLegacyCipher a bit
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-20 09:52:55 +01:00
1b613c84e9
Merge pull request #24007 from nextcloud/select-distinct-multiple
...
allow selecting multiple columns with SELECT DISTINCT
2020-11-19 22:39:01 +01:00
c2510ecae9
Merge pull request #24103 from nextcloud/bugfix/noid/groupfolder-share-object-storage
...
Only check path for being accessible when the storage is a object home
2020-11-19 22:37:28 +01:00
650ffc587f
Merge pull request #24164 from nextcloud/fix/lazy-app-registration
...
Allow lazy app registration
2020-11-19 22:35:09 +01:00
1e111b2ad2
Fix DataResponse typehints
...
We use this already in several places where we just pass strings or
numbers.
This all works because we just convert it to a json response in the end.
So better to have the typehints reflect this.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-19 20:34:42 +01:00
d602aa1825
Merge pull request #24135 from medical-cloud/fix/23357-nextcloud-logo-in-email-notifications-is-misaligned-in-version-20
...
Fix nextcloud logo in email notifications misalignment
2020-11-19 10:48:18 +01:00
ecbc7f62be
Merge pull request #24207 from nextcloud/bugfix/noid/missing-level-psrlogged
...
missing level in ScopedPsrLogger
2020-11-19 08:38:05 +01:00
c773cee305
[tx-robot] updated from transifex
2020-11-19 02:20:10 +00:00
87ec4a0da3
Fix #23357
...
Signed-off-by: medcloud <42641918+medcloud@users.noreply.github.com>
2020-11-18 22:29:02 +01:00
a0d9b15a80
missing level
...
Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
2020-11-18 18:30:07 -01:00
66013f906d
Merge pull request #24189 from nextcloud/enh/csp/frame-ancestors
...
Set frame-ancestors to none if none are filled
2020-11-18 11:29:28 +01:00
9163790b7c
Set frame-ancestors to none if none are filled
...
frame-ancestors doesn't fall back to default-src. So when we apply a
very restricted CSP we should make sure to set it to 'none' and not
leave it empty.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-18 10:13:36 +01:00
3cf39c573f
Allow lazy app registration
...
During app installation we run migration steps. Those steps may use
services the app registers or classes from composer. Hence we have to
make sure the app runs through the registration.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-11-18 08:48:45 +01:00
72a9c35be3
Remove some IRouter methods
...
This is not the end. IRouter needs to burn.
But it is a start.
🎵 we didn't start the fire 🎵
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-17 14:08:20 +01:00
a8cb8e21c1
Add types to function builder
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-11-16 19:46:24 +01:00
9a3ce2f71f
Don't drop the table anymore when we create it again
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-11-16 19:34:38 +01:00
a61a757b85
allow selecting multiple columns with SELECT DISTINCT
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2020-11-16 15:45:17 +01:00
426dc68b45
Merge pull request #24069 from nextcloud/fix-default-internal-expiration-date
...
Fix default internal expiration date
2020-11-16 14:13:56 +01:00
d0f738fd59
Merge pull request #24112 from nextcloud/bugfix/24099/setup-fs-before-query-storage-in-settings
...
Set up FS before querying storage info in settings
2020-11-16 11:46:22 +01:00
bcf0a69af4
Fix default internal expiration date
...
The default expiration date for internal shares was set from the default
link expiration date instead of the internal one.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
2020-11-16 08:54:18 +01:00
91a3e439cb
Don't throw on SHOW VERSION query
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-11-16 08:43:48 +01:00
569c615383
[tx-robot] updated from transifex
2020-11-14 02:19:36 +00:00
2143f2bb82
Set up FS before querying storage info in settings
...
The personal info section of the personal settings is querying the
storage quota information. For this it requires the FS to be setup which
is not always guaranteed.
This fixes an issue where refreshing the settings page would cause it to
fail after Redis caches are full. It is likely that when Redis cache is
populated, some code path is initializing the FS, so it works so far.
But when the cache is populated, that code path is skipped so the FS is
not guaranteed to be setup...
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
2020-11-13 17:06:37 +01:00
d665981447
Only check path for being accessible when the storage is a object home
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2020-11-13 13:48:32 +01:00
81070c753b
Merge pull request #24053 from nextcloud/bugfix/noid/fix-user-status-for-oracle
2020-11-12 21:43:31 +01:00
51a02c8009
ReflectionParamter::getClass is deprecated
...
In php8 this starts throwing warnings. And since we use it quite often
we flood the log. This moves it to getType which does the same. Only non
deprecated now.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-11 20:42:14 +01:00
d7b5d4cb58
Revert "Revert "Installation goes brrrr""
2020-11-11 20:12:13 +01:00
d36155620c
Revert "Installation goes brrrr"
2020-11-11 17:40:12 +01:00
c27ed22488
Dump autoloader
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-11-11 16:49:37 +01:00
77713ab454
Don't create a schema to check if the migrations table exists
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-11-11 11:45:00 +01:00
dde0e73c6b
Reduce the number of schemas we generate when we just run all migrations anyway
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-11-11 11:45:00 +01:00
7f45f90789
Only update the schema when we install anyway
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-11-11 11:40:51 +01:00
61496d3482
Merge pull request #24041 from nextcloud/techdebt/noid/remove-oc_hooks-for-group-management
...
Remove old OC_Hook for OC_Group events
2020-11-11 11:17:31 +01:00
e39d657e24
Merge pull request #23882 from nextcloud/tests/oracle
...
Run unit tests against oracle
2020-11-11 10:05:24 +01:00
0ee4f43048
[tx-robot] updated from transifex
2020-11-11 02:20:12 +00:00
e187c1d778
Remove old OC_Hook for OC_Group events
...
Those mappings exist and we will remove the first ones (labeled as `old`):
old: `\OC_Hook::listen('OC_Group', 'pre_createGroup', array('run' => true, 'gid' => $gid));`
since OC 8 (owncloud/core#12618): `$groupManager->listen('\OC\Group', 'preCreate', function ($gid) { ... });`
since NC 17 (#18350 ): `OCP\Group\Events\BeforeGroupCreatedEvent`
old: `\OC_Hook::emit('OC_User', 'post_createGroup', array('gid' => $gid->getGID()));`
since OC 8 (owncloud/core#12618 ): `$groupManager->listen('\OC\Group', 'postCreate', function (\OC\Group\Group $gid) { ... });`
since NC 17 (#18350 ): `OCP\Group\Events\GroupCreatedEvent`
old: `\OC_Hook::emit('OC_Group', 'pre_deleteGroup', array('run' => true, 'gid' => $group->getGID()));`
since OC 8 (owncloud/core#12618 ): `$groupManager->listen('\OC\Group', 'preDelete', function (\OC\Group\Group $group) { ... });`
since NC 17 (#18350 ): `OCP\Group\Events\BeforeGroupDeletedEvent`
old: `\OC_Hook::emit('OC_User', 'post_deleteGroup', array('gid' => $group->getGID()));`
since OC 8 (owncloud/core#12618 ): `$groupManager->listen('\OC\Group', 'postDelete', function (\OC\Group\Group $group) { ... });`
since NC 17 (#18350 ): `OCP\Group\Events\GroupDeletedEvent`
old: `\OC_Hook::emit('OC_Group', 'pre_addToGroup', array('run' => true, 'uid' => $user->getUID(), 'gid' => $group->getGID()));`
since OC 8 (owncloud/core#12618 ): `$groupManager->listen('\OC\Group', 'preAddUser', function (\OC\Group\Group $group, \OC\User\User $user) { ... });`
since NC 17 (#18350 ): `OCP\Group\Events\BeforeUserAddedEvent`
old: `\OC_Hook::emit('OC_Group', 'post_addToGroup', array('uid' => $user->getUID(), 'gid' => $group->getGID()));`
since OC 8 (owncloud/core#12618 ): `$groupManager->listen('\OC\Group', 'postAddUser', function (\OC\Group\Group $group, \OC\User\User $user) { ... });`
since NC 17 (#18350 ): `OCP\Group\Events\UserAddedEvent`
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-11-10 21:58:44 +01:00
d5df033ede
Create primary keys on all tables and add a command to create the afterwards
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-11-10 15:36:27 +01:00
5b5aebbf66
Replace the credentials table with one that can have empty user
...
Primary key columns on Oracle can not have empty strings
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-11-10 15:36:27 +01:00
Lukas Reschke
Morris Jobke
Roeland Jago Douma
Carlos Ferreira
Roeland Jago Douma
Christoph Wurst
Nextcloud bot
medcloud
Maxence Lange
Christoph Wurst
Joas Schilling
Robin Appelman
Daniel Calviño Sánchez
Vincent Petry
Julius Härtl
Joas Schilling