When using fake servers with Sinon.JS, the JavaScript test framework,
the XHR objects are also fake. In Sinon 5.0.8 the "setRequestHeader" of
XMLHttpRequest was modified to normalize the header values (as requested
by the spec), but since then only string values are accepted; null or
integer values can no longer be passed to "setRequestHeader", as it
expects the "replace" function to be available in the object. However,
in the tests null and integer values are passed to "setRequestHeader",
which causes them to fail.
Both Firefox and Chromium accept passing non-string values to their
"setRequestHeader" implementation, and it is done, for example, in
davclient.js; it is not clear yet whether Sinon got too restrictive or
the code calling "setRequestHeader" was too loose. Given that
davclient.js is an external dependency, as a temporary measure Sinon
version is forced to be 5.0.7 at most until either Sinon or davclient.js
are updated.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
We added a special `func()` method to the query builder, which is a plain text function by definition. It uses the string and does no escaping on purpose. It has the potential for an injection but requiring to add the "supress warning" to all surrounding code makes it harder to spot actual problems, that this plugin want to find. So it's better to only need to check the func() and not all the surrounding code as well.
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
"--tags=XXX" limits the features or scenarios to be run to those
matching the tag filter expression.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
The data directory is not necessarily located at "../..". The proper
directory is now got by running "php console.php config:system:get
datadirectory".
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
The slide gesture is enabled or disabled depending on the width of the
browser window. In order to easily control that width the karma-viewport
plugin is now used in the unit tests.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Until now it was safe to assume that every file was readable by its
owner, so there was no need to return whether the file was readable or
not. However, with the introduction of end to end encryption that is no
longer the case, and it is now necessary to explicitly provide that
information.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
This adds a phan plugin which checks for SQL injections on code using our QueryBuilder, while it isn't perfect it should already catch most potential issues.
As always, static analysis will sometimes have false positives and this is also here the case. So in some cases the analyzer just doesn't know if something is potential user input or not, thus I had to add some `@suppress SqlInjectionChecker` in front of those potential injections.
The Phan plugin hasn't the most awesome code but it works and I also added a file with test cases.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Overrides \Sabre\DAV\Auth\Backend\AbstractBearer::challenge to prevent sending a second WWW-Authenticate header which is standard-compliant but most DAV clients simply fail hard.
Fixes https://github.com/nextcloud/server/issues/5088
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Daniel Calviño Sánchez
Roeland Jago Douma
Morris Jobke
Guillaume Boudreau
Lukas Reschke
John Molakvoæ (skjnldsv)
Arthur Schiwon
Robin Appelman
Thomas Müller
Björn Schießle
Julius Härtl
Joas Schilling