Commit Graph

124 Commits

Author SHA1 Message Date
Sam Bull ea935f65fd
Add support for CSP_NONCE server variable
Allow passing a nonce from the web server, allowing the possibility to enforce a strict CSP from the web server.

Signed-off-by: Sam Bull <git@sambull.org>
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-18 12:16:29 +02:00
Roeland Jago Douma 5ac857bcdc
Add an event to edit the CSP
This introduces and event that can be listend to when we actually use
the CSP. This means that apps no longer have to always inject their CSP
but only do so when it is required. Yay for being lazy.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-08 20:35:15 +02:00
Morris Jobke d004164fcc
Merge pull request #13327 from nextcloud/allow-bracket-notation-for-remove-ipv6-address
Allow bracket IPv6 address format inside IPAdress Normalizer
2019-03-06 10:34:02 +01:00
Roeland Jago Douma f1ea56b502
Fix the thorrtler whitelist bitmask
Before we actually didn't check each bit of the bitmask. Now we do.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-02-11 23:22:20 +01:00
Thomas Citharel c9b588774b
Allow bracket IPv6 address format inside IPAdress Normalizer
When run with php's build-in server (for instance on localhost:8080), IP provided through $this->server['REMOTE_ADDR'] is [::1], which is not an acceptable format for \inet_pton. This removes the brackets if there's any.

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2019-01-03 10:03:46 +01:00
Roeland Jago Douma 372f3d2a60
Remove deprecated functions from SecureRandom
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-12-07 19:33:32 +01:00
Roeland Jago Douma be5c050acc
Throw exception if decryption fails
For #11868

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-14 12:47:35 +01:00
Morris Jobke 39338aaa67
Merge pull request #11914 from nextcloud/csp/report-uri
Add report-uri to CSP
2018-10-23 16:42:24 +02:00
Roeland Jago Douma 0fdc65a15c
Add nonce for Safari 12+
As far as I can tell this should work now.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-21 20:48:12 +02:00
Roeland Jago Douma 579822b6a5
Add report-uri to CSP
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-21 13:38:32 +02:00
Roeland Jago Douma 8354c50911
Deprecate the childSrc functions
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-09-04 07:35:44 +02:00
Roeland Jago Douma c8fe4b4fc8
Add workerSrc to CSP
Fixes #11035

Since the child-src directive is deprecated (we should kill it at some
point) we need to have the proper worker-src available

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-09-04 07:35:44 +02:00
Mark Berezovsky ad66c6bf08 Fix #9864: Decrease $maxDelay in Throttler.php
Signed-off-by: Mark Berezovsky <xpnf@yandex.ru>
2018-06-15 04:58:08 +03:00
Roeland Jago Douma 84316aec66
Add ARGON2I support to the hasher
When on php7.2 we can use the new and improved ARGON2I hashing.
This adds support for that to the hasher. When verifying an old hash
we'll update rehash to move all hashes eventually to the new hash
function.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-04-04 15:43:50 +02:00
Roeland Jago Douma d8332d43f8
Make \OC\Security\IdentityProof strict
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-05 19:33:16 +01:00
Roeland Jago Douma 5457373407
Merge pull request #8659 from nextcloud/csrf_token_strict
Make \OC\Security\CSRF strict
2018-03-05 19:28:10 +01:00
Roeland Jago Douma 4ed9b74a6b
Make OC\Security\CSP strict
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-05 15:27:05 +01:00
Roeland Jago Douma 2c8402aa17
Make \OC\Security\CSRF strict
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-05 15:01:02 +01:00
Morris Jobke 0a56d2185e
Return value immediately instead of assigning to a one-time variable
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-26 00:02:03 +01:00
Roeland Jago Douma 0e0db37658
Make OCP\Security stricter
* Add typehints
* Add return types
* Opcode opts from phpstorm
* Made strict
* Fixed tests: No need to test bogus values anymore strict typing fixes
this

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-16 22:01:19 +01:00
Morris Jobke c0c4263546
Merge pull request #7850 from nextcloud/strict_ipaddress
Make IPAddress typed and strict
2018-01-14 21:16:06 +01:00
Roeland Jago Douma bb2938a47d
Make IPAddress typed and strict
* Added scalar typehints
* Added return statements
* Added strict declaration

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-14 21:15:44 +01:00
Morris Jobke 2ed4bea18f
Merge pull request #7852 from nextcloud/strict_ratelimiting
Make OC\Security\RateLimiting strict
2018-01-14 21:08:45 +01:00
Roeland Jago Douma cf0a339997
Make OC\Security\RateLimiting strict
* Add return types
* Add scalar argument types
* Made strict
* Cleaned up phpstorm inspections

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-14 21:08:23 +01:00
Roeland Jago Douma 6e1ee1e7a7
Fix tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-14 21:04:52 +01:00
Roeland Jago Douma de5d7aa331
Strict ISecure random
* Declare strict
* Scalar arguments
* Return type
* Use fully qualified name for strlen

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-13 21:39:34 +01:00
Morris Jobke ca28df6fcc
Adds type hinting for scalar types in ICrypto->decrypt
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-13 00:06:03 +01:00
Morris Jobke d2d73f1ce8
Also replace all other occurences
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-12-18 20:57:11 +01:00
Morris Jobke 5a270c2715
Reset bruteforce attempt table on successful login
* only clear the entries that come from the same subnet, same action and same metadata

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-24 14:58:57 +01:00
Morris Jobke 0eebff152a
Update license headers
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-06 16:56:19 +01:00
Thomas Citharel ecf347bd1a Add CSP frame-ancestors support
Didn't set the @since annotation yet.

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2017-09-15 15:23:10 +02:00
Bjoern Schiessle bae5be3dc1
add prefix to user and system keys to avoid name collisions
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-08-10 14:27:35 +02:00
Bjoern Schiessle 9524badccc
extend the identity proof manager to allow system wide key pairs
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-08-10 14:27:35 +02:00
Lukas Reschke 6fb84ebb71
null is a valid parameter
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-01 08:20:16 +02:00
Lukas Reschke dfd8125aeb
Replace wrong PHPDocs
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-01 08:20:16 +02:00
Roeland Jago Douma 5f227bd93b
More phpstorm inspection fixes
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-07-24 11:39:29 +02:00
Lukas Reschke 3d2600b039
Add Phan plugin to check for SQL injections
This adds a phan plugin which checks for SQL injections on code using our QueryBuilder, while it isn't perfect it should already catch most potential issues.

As always, static analysis will sometimes have false positives and this is also here the case. So in some cases the analyzer just doesn't know if something is potential user input or not, thus I had to add some `@suppress SqlInjectionChecker` in front of those potential injections.

The Phan plugin hasn't the most awesome code but it works and I also added a file with test cases.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-07-20 22:48:13 +02:00
Roeland Jago Douma 6a1f2ac076
Add bruteforce capabilities
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-07-13 11:23:08 +02:00
Roeland Jago Douma 04f2090698
Write cert bundle to tmp file first
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-07-12 19:24:20 +02:00
Joas Schilling ca39940614
Automatic creation of Identity manager
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-05-10 09:45:11 +02:00
Roeland Jago Douma 5a61a794d4
Do not write and read rootcerts.crt at the same time
(Possibly) fixes #3470

When updating the main file /files_external/rootcerts.crt we should not
read from /files_external/rootcerts.crt at the same time.

For 2 reasons: writing to a file and reading from it at the same time
can have non deterministic results

And we don't want all the certificates to appear 2 times in there.

This isn't caught by our standard file locking (that does not allow this
actually) because it is in a non locked path....

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-05-09 13:00:07 +02:00
Lukas Reschke a5ccb31e85
Mark IP as whitelisted if brute force protection is disabled
Currently, when disabling the brute force protection no new brute force attempts are logged. However, the ones logged within the last 24 hours will still be used for throttling.

This is quite an unexpected behaviour and caused some support issues. With this change when the brute force protection is disabled also the existing attempts within the last 24 hours will be disregarded.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-05-01 18:31:45 +02:00
Morris Jobke c54a59d51e
Remove unused use statements
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-04-22 19:23:31 -05:00
Lukas Reschke e39e6d0605
Remove expired attempts
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 12:00:18 +02:00
Lukas Reschke 66835476b5
Add support for ratelimiting via annotations
This allows adding rate limiting via annotations to controllers, as one example:

```
@UserRateThrottle(limit=5, period=100)
@AnonRateThrottle(limit=1, period=100)
```

Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 12:00:16 +02:00
Roeland Jago Douma be674c19a5
Respect bruteforce settings in the Throttler
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-04-02 21:13:50 +02:00
Bjoern Schiessle df296249d6
introduce brute force protection for api calls
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-01-18 15:25:15 +01:00
Robin Appelman 817e974c5f
dont write a certificate bundle if the shipped ca bundle is empty
Signed-off-by: Robin Appelman <robin@icewind.nl>
2017-01-09 16:51:27 +01:00
Lukas Reschke 7d221ff8f4
Safari CSPv3 support is sub-par
With 10.0.1 CSPv3 is broken in Safari if it doesn't run from a local IP. Awesome.

=> Let's remove this for Safari and keep chrome and Firefox in the whitelist.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-12-14 13:17:20 +01:00
Roeland Jago Douma 72f9920a58
Add Identityproof tests
* Add tests for Key
* Add tests for Manager
* Add tests for Signer
* Removed URLGenerator from Signer

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-11-24 21:50:19 +01:00
Lukas Reschke fb91bf6a5b
Add a signer class for signing
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-11-21 11:30:00 +01:00
Lukas Reschke 6f4cb12be2
Add identity proof
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-11-21 11:30:00 +01:00
Lukas Reschke 53c8391e96
Add private
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-11-21 11:30:00 +01:00
Joas Schilling 2cd92d0abb
Fix missing update of session, when it was already used.
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-11-02 20:30:36 +01:00
Leon Klingele e5d78a3523
Fix CSRF token generation / validation
Operate on raw bytes instead of base64-encoded strings.
Issue was introduced in a977465

Signed-off-by: Leon Klingele <git@leonklingele.de>
2016-11-02 10:38:05 +01:00
Joas Schilling c20ab0049f
Identify Chromium as Chrome
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-10-26 12:07:10 +02:00
Lukas Reschke 015affb082
Missing returns + autoloader file
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-10-25 22:13:09 +02:00
Roeland Jago Douma e351ba56f1
Move browserSupportsCspV3 to CSPNonceManager
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-25 22:03:10 +02:00
Lukas Reschke 38b3ac8213
Add ContentSecurityPolicyNonceManager
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-10-24 16:35:31 +02:00
Lukas Reschke 9e6634814e
Add support for CSP nonces
CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce.

At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.)

IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO.

Implementing this offers the following advantages:

1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist
2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file.

If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-10-24 12:27:50 +02:00
Robin Appelman 6c93fe08f5 dont get bruteforce delay twice 2016-08-29 13:36:49 +02:00
Joas Schilling 0215b004da
Update with robin 2016-07-21 18:13:58 +02:00
Joas Schilling ba87db3fcc
Fix others 2016-07-21 18:13:57 +02:00
Lukas Reschke adf67fac96
JSON encode the values 2016-07-20 22:47:33 +02:00
Lukas Reschke ba4f12baa0
Implement brute force protection
Class Throttler implements the bruteforce protection for security actions in
Nextcloud.

It is working by logging invalid login attempts to the database and slowing
down all login attempts from the same subnet. The max delay is 30 seconds and
the starting delay are 200 milliseconds. (after the first failed login)
2016-07-20 22:08:56 +02:00
Bjoern Schiessle 7c64e1973f
add test for needsRebundling() check 2016-07-11 15:51:48 +02:00
Bjoern Schiessle 49cad153af
always check the mtime of the system bundle and additionally the user specific certificate bundle if a user is given 2016-07-08 18:24:37 +02:00
Johannes Ernst 66a134e69e Disallow certain malformed domain names even if they match the trusted domain expression
Stricter checking for valid domain names
2016-07-06 23:51:04 +00:00
Johannes Ernst 2b4ceae620 Trusted domain wildcard checking made shorter, supporting multiple *
Added test cases
2016-07-06 23:38:30 +00:00
Johannes Ernst 3516b58be6 Duh, no 'next' in PHP.
Use === instead of == for extra paranoia.
2016-07-06 04:51:49 +00:00
Johannes Ernst b1867dc8d1 Allow wildcard * to be used in trusted domains, to support setups where no reliable DNS entry is available (e.g. mDNS) or for simple-to-setup aliasing (e.g. *.example.com) 2016-07-05 18:49:18 +00:00
Lukas Reschke aba539703c
Update license headers 2016-05-26 19:57:24 +02:00
Lukas Reschke 06a4da43ec
[master] Ignore certificate file if it starts with file:// 2016-04-21 19:02:31 +02:00
Roeland Jago Douma 9050e76d95
Move \OC\Security to PSR-4 2016-04-14 19:21:18 +02:00