Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Harden files_sharing API #50052

Merged
merged 4 commits into from
Jan 13, 2025
Merged

Harden files_sharing API #50052

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4dfa02c
fix(files_sharing): Handle null userId
provokateurin Jan 6, 2025
9f59204
fix(files_sharing): Gracefully handle fetching non-existent share
provokateurin Jan 6, 2025
90c608b
fix(files_sharing): Fix sharee search result types
provokateurin Jan 6, 2025
1e28657
fix(PathHelper): Remove null bytes when normalizing path
provokateurin Jan 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion apps/files_sharing/lib/Controller/DeletedShareAPIController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ public function __construct(
string $appName,
IRequest $request,
private ShareManager $shareManager,
private string $userId,
private ?string $userId,
private IUserManager $userManager,
private IGroupManager $groupManager,
private IRootFolder $rootFolder,
Expand Down
11 changes: 1 addition & 10 deletions apps/files_sharing/lib/Controller/ShareesAPIController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,19 +66,10 @@ class ShareesAPIController extends OCSController {

protected $reachedEndFor = [];

/**
* @param string $UserId
* @param string $appName
* @param IRequest $request
* @param IConfig $config
* @param IURLGenerator $urlGenerator
* @param IManager $shareManager
* @param ISearch $collaboratorSearch
*/
public function __construct(
string $appName,
IRequest $request,
protected string $userId,
protected ?string $userId,
protected IConfig $config,
protected IURLGenerator $urlGenerator,
protected IManager $shareManager,
Expand Down
19 changes: 5 additions & 14 deletions apps/files_sharing/lib/External/Manager.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,13 +160,7 @@ private function writeShareToDb($remote, $token, $password, $name, $owner, $user
$query->execute([$remote, $token, $password, $name, $owner, $user, $mountPoint, $hash, $accepted, $remoteId, $parent, $shareType]);
}

/**
* get share
*
* @param int $id share id
* @return mixed share of false
*/
private function fetchShare($id) {
private function fetchShare(int $id): array|false {
$getShare = $this->connection->prepare('
SELECT `id`, `remote`, `remote_id`, `share_token`, `name`, `owner`, `user`, `mountpoint`, `accepted`, `parent`, `share_type`, `password`, `mountpoint_hash`
FROM `*PREFIX*share_external`
Expand Down Expand Up @@ -208,15 +202,12 @@ private function fetchUserShare($parentId, $uid) {
return null;
}

/**
* get share
*
* @param int $id share id
* @return mixed share of false
*/
public function getShare(int $id, ?string $user = null): array|false {
$user = $user ?? $this->uid;
$share = $this->fetchShare($id);
if ($share === false) {
return false;
}

// check if the user is allowed to access it
if ($this->canAccessShare($share, $user)) {
Expand Down Expand Up @@ -256,7 +247,7 @@ private function canAccessShare(array $share, string $user): bool {
&& $share['user'] === $user) {
return true;
}

// If the share is a group share, check if the user is in the group
if ((int)$share['share_type'] === IShare::TYPE_GROUP) {
$parentId = (int)$share['parent'];
Expand Down
21 changes: 14 additions & 7 deletions apps/files_sharing/lib/ResponseDefinitions.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,6 @@
* }
*
* @psalm-type Files_SharingSharee = array{
* count: int|null,
* label: string,
* }
*
Expand All @@ -108,6 +107,14 @@
* shareWith: string,
* }
*
* @psalm-type Files_SharingShareeGroup = Files_SharingSharee&array{
* value: Files_SharingShareeValue,
* }
*
* @psalm-type Files_SharingShareeRoom = Files_SharingSharee&array{
* value: Files_SharingShareeValue,
* }
*
* @psalm-type Files_SharingShareeUser = Files_SharingSharee&array{
* subline: string,
* icon: string,
Expand Down Expand Up @@ -180,33 +187,33 @@
* exact: array{
* circles: list<Files_SharingShareeCircle>,
* emails: list<Files_SharingShareeEmail>,
* groups: list<Files_SharingSharee>,
* groups: list<Files_SharingShareeGroup>,
* remote_groups: list<Files_SharingShareeRemoteGroup>,
* remotes: list<Files_SharingShareeRemote>,
* rooms: list<Files_SharingSharee>,
* rooms: list<Files_SharingShareeRoom>,
* users: list<Files_SharingShareeUser>,
* },
* circles: list<Files_SharingShareeCircle>,
* emails: list<Files_SharingShareeEmail>,
* groups: list<Files_SharingSharee>,
* groups: list<Files_SharingShareeGroup>,
* lookup: list<Files_SharingShareeLookup>,
* remote_groups: list<Files_SharingShareeRemoteGroup>,
* remotes: list<Files_SharingShareeRemote>,
* rooms: list<Files_SharingSharee>,
* rooms: list<Files_SharingShareeRoom>,
* users: list<Files_SharingShareeUser>,
* lookupEnabled: bool,
* }
*
* @psalm-type Files_SharingShareesRecommendedResult = array{
* exact: array{
* emails: list<Files_SharingShareeEmail>,
* groups: list<Files_SharingSharee>,
* groups: list<Files_SharingShareeGroup>,
* remote_groups: list<Files_SharingShareeRemoteGroup>,
* remotes: list<Files_SharingShareeRemote>,
* users: list<Files_SharingShareeUser>,
* },
* emails: list<Files_SharingShareeEmail>,
* groups: list<Files_SharingSharee>,
* groups: list<Files_SharingShareeGroup>,
* remote_groups: list<Files_SharingShareeRemoteGroup>,
* remotes: list<Files_SharingShareeRemote>,
* users: list<Files_SharingShareeUser>,
Expand Down
54 changes: 42 additions & 12 deletions apps/files_sharing/openapi.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -766,15 +766,9 @@
"Sharee": {
"type": "object",
"required": [
"count",
"label"
],
"properties": {
"count": {
"type": "integer",
"format": "int64",
"nullable": true
},
"label": {
"type": "string"
}
Expand Down Expand Up @@ -851,6 +845,24 @@
}
]
},
"ShareeGroup": {
"allOf": [
{
"$ref": "#/components/schemas/Sharee"
},
{
"type": "object",
"required": [
"value"
],
"properties": {
"value": {
"$ref": "#/components/schemas/ShareeValue"
}
}
}
]
},
"ShareeLookup": {
"allOf": [
{
Expand Down Expand Up @@ -1027,6 +1039,24 @@
}
]
},
"ShareeRoom": {
"allOf": [
{
"$ref": "#/components/schemas/Sharee"
},
{
"type": "object",
"required": [
"value"
],
"properties": {
"value": {
"$ref": "#/components/schemas/ShareeValue"
}
}
}
]
},
"ShareeUser": {
"allOf": [
{
Expand Down Expand Up @@ -1129,7 +1159,7 @@
"groups": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Sharee"
"$ref": "#/components/schemas/ShareeGroup"
}
},
"remote_groups": {
Expand Down Expand Up @@ -1161,7 +1191,7 @@
"groups": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Sharee"
"$ref": "#/components/schemas/ShareeGroup"
}
},
"remote_groups": {
Expand Down Expand Up @@ -1226,7 +1256,7 @@
"groups": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Sharee"
"$ref": "#/components/schemas/ShareeGroup"
}
},
"remote_groups": {
Expand All @@ -1244,7 +1274,7 @@
"rooms": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Sharee"
"$ref": "#/components/schemas/ShareeRoom"
}
},
"users": {
Expand All @@ -1270,7 +1300,7 @@
"groups": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Sharee"
"$ref": "#/components/schemas/ShareeGroup"
}
},
"lookup": {
Expand All @@ -1294,7 +1324,7 @@
"rooms": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Sharee"
"$ref": "#/components/schemas/ShareeRoom"
}
},
"users": {
Expand Down
2 changes: 2 additions & 0 deletions lib/private/Files/Utils/PathHelper.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ public static function normalizePath(string $path): string {
if ($path === '' or $path === '/') {
return '/';
}
// No null bytes
$path = str_replace(chr(0), '', $path);
//no windows style slashes
$path = str_replace('\\', '/', $path);
//add leading slash
Expand Down
Loading