Skip to content

Commit

Permalink
fix: Apply checks on shares in the middleware
Browse files Browse the repository at this point in the history 
Signed-off-by: Julius Härtl <[email protected]>
Signed-off-by: Max <[email protected]>
  • Loading branch information
@juliushaertl @max-nextcloud
juliushaertl authored and max-nextcloud committed Oct 1, 2024
1 parent 580f614 commit 78710d8
Showing 1 changed file with 23 additions and 3 deletions.
26 changes: 23 additions & 3 deletions lib/Middleware/SessionMiddleware.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,12 @@
use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\Http\Response;
use OCP\AppFramework\Middleware;
use OCP\Constants;
use OCP\Files\IRootFolder;
use OCP\Files\NotPermittedException;
use OCP\IL10N;
use OCP\IRequest;
use OCP\ISession;
use OCP\IUserSession;
use OCP\Share\Exceptions\ShareNotFound;
use OCP\Share\IManager as ShareManager;
Expand All @@ -31,6 +33,7 @@ public function __construct(
private IRequest $request,
private SessionService $sessionService,
private DocumentService $documentService,
private ISession $session,
private IUserSession $userSession,
private IRootFolder $rootFolder,
private ShareManager $shareManager,
Expand Down Expand Up @@ -116,7 +119,7 @@ private function assertUserOrShareToken(ISessionAwareController $controller): vo
$documentId = (int)$this->request->getParam('documentId');
if (null !== $userId = $this->userSession->getUser()?->getUID()) {
// Check if user has access to document
if (count($this->rootFolder->getUserFolder($userId)->getById($documentId)) === 0) {
if ($this->rootFolder->getUserFolder($userId)->getFirstNodeById($documentId) === null) {

Check failure on line 122 in lib/Middleware/SessionMiddleware.php

View workflow job for this annotation

GitHub Actions / static-psalm-analysis

UndefinedInterfaceMethod 

lib/Middleware/SessionMiddleware.php:122:51: UndefinedInterfaceMethod: Method OCP\Files\Folder::getFirstNodeById does not exist (see https://psalm.dev/181)
throw new InvalidSessionException();
}
$controller->setUserId($userId);
Expand All @@ -126,8 +129,25 @@ private function assertUserOrShareToken(ISessionAwareController $controller): vo
} catch (ShareNotFound) {
throw new InvalidSessionException();
}
// Check if shareToken has access to document
if (count($this->rootFolder->getUserFolder($share->getShareOwner())->getById($documentId)) === 0) {

$node = $this->rootFolder->getUserFolder($share->getShareOwner())->getFirstNodeById($documentId);

Check failure on line 133 in lib/Middleware/SessionMiddleware.php

View workflow job for this annotation

GitHub Actions / static-psalm-analysis

UndefinedInterfaceMethod 

lib/Middleware/SessionMiddleware.php:133:71: UndefinedInterfaceMethod: Method OCP\Files\Folder::getFirstNodeById does not exist (see https://psalm.dev/181)
if ($node === null) {
throw new InvalidSessionException();
}

if ($share->getPassword() !== null) {

Check failure on line 138 in lib/Middleware/SessionMiddleware.php

View workflow job for this annotation

GitHub Actions / static-psalm-analysis

RedundantConditionGivenDocblockType 

lib/Middleware/SessionMiddleware.php:138:8: RedundantConditionGivenDocblockType: Docblock-defined type string can never contain null (see https://psalm.dev/156)
$shareId = $this->session->get('public_link_authenticated');
if ($share->getId() !== $shareId) {
throw new InvalidSessionException();
}
}

if (($share->getPermissions() & Constants::PERMISSION_READ) !== Constants::PERMISSION_READ) {
throw new InvalidSessionException();
}

$attributes = $share->getAttributes();
if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
throw new InvalidSessionException();
}
} else {
Expand Down

0 comments on commit 78710d8

Please sign in to comment.