This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | /** |
||
3 | * @author Juan Pablo Villafáñez <[email protected]> |
||
4 | * @author Robin Appelman <[email protected]> |
||
5 | * @author Robin McCorkell <[email protected]> |
||
6 | * @author Thomas Müller <[email protected]> |
||
7 | * @author Vincent Petry <[email protected]> |
||
8 | * |
||
9 | * @copyright Copyright (c) 2018, ownCloud GmbH |
||
10 | * @license AGPL-3.0 |
||
11 | * |
||
12 | * This code is free software: you can redistribute it and/or modify |
||
13 | * it under the terms of the GNU Affero General Public License, version 3, |
||
14 | * as published by the Free Software Foundation. |
||
15 | * |
||
16 | * This program is distributed in the hope that it will be useful, |
||
17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
19 | * GNU Affero General Public License for more details. |
||
20 | * |
||
21 | * You should have received a copy of the GNU Affero General Public License, version 3, |
||
22 | * along with this program. If not, see <http://www.gnu.org/licenses/> |
||
23 | * |
||
24 | */ |
||
25 | |||
26 | namespace OCA\Files_External\Controller; |
||
27 | |||
28 | use OCP\AppFramework\Http; |
||
29 | use OCP\AppFramework\Http\DataResponse; |
||
30 | use OCP\Files\External\Auth\AuthMechanism; |
||
31 | use OCP\Files\External\Auth\IUserProvided; |
||
32 | use OCP\Files\External\Backend\Backend; |
||
33 | use OCP\Files\External\InsufficientDataForMeaningfulAnswerException; |
||
34 | use OCP\Files\External\IStorageConfig; |
||
35 | use OCP\Files\External\NotFoundException; |
||
36 | use OCP\Files\External\Service\IUserGlobalStoragesService; |
||
37 | use OCP\IL10N; |
||
38 | use OCP\ILogger; |
||
39 | use OCP\IRequest; |
||
40 | use OCP\IUserSession; |
||
41 | |||
42 | /** |
||
43 | * User global storages controller |
||
44 | */ |
||
45 | class UserGlobalStoragesController extends StoragesController { |
||
46 | /** |
||
47 | * @var IUserSession |
||
48 | */ |
||
49 | private $userSession; |
||
50 | |||
51 | /** |
||
52 | * Creates a new user global storages controller. |
||
53 | * |
||
54 | * @param string $AppName application name |
||
55 | * @param IRequest $request request object |
||
56 | * @param IL10N $l10n l10n service |
||
57 | * @param IUserGlobalStoragesService $userGlobalStoragesService storage service |
||
58 | * @param IUserSession $userSession |
||
59 | */ |
||
60 | View Code Duplication | public function __construct( |
|
61 | $AppName, |
||
62 | IRequest $request, |
||
63 | IL10N $l10n, |
||
64 | IUserGlobalStoragesService $userGlobalStoragesService, |
||
65 | IUserSession $userSession, |
||
66 | ILogger $logger |
||
67 | ) { |
||
68 | parent::__construct( |
||
69 | $AppName, |
||
70 | $request, |
||
71 | $l10n, |
||
72 | $userGlobalStoragesService, |
||
73 | $logger |
||
74 | ); |
||
75 | $this->userSession = $userSession; |
||
76 | } |
||
77 | |||
78 | /** |
||
79 | * Get all storage entries |
||
80 | * |
||
81 | * @return DataResponse |
||
82 | * |
||
83 | * @NoAdminRequired |
||
84 | */ |
||
85 | public function index() { |
||
86 | $storages = $this->service->getUniqueStorages(); |
||
0 ignored issues
–
show
|
|||
87 | |||
88 | // remove configuration data, this must be kept private |
||
89 | foreach ($storages as $storage) { |
||
90 | $this->sanitizeStorage($storage); |
||
91 | } |
||
92 | |||
93 | return new DataResponse( |
||
94 | $storages, |
||
95 | Http::STATUS_OK |
||
96 | ); |
||
97 | } |
||
98 | |||
99 | View Code Duplication | protected function manipulateStorageConfig(IStorageConfig $storage) { |
|
100 | /** @var AuthMechanism */ |
||
101 | $authMechanism = $storage->getAuthMechanism(); |
||
102 | $authMechanism->manipulateStorageConfig($storage, $this->userSession->getUser()); |
||
103 | /** @var Backend */ |
||
104 | $backend = $storage->getBackend(); |
||
105 | $backend->manipulateStorageConfig($storage, $this->userSession->getUser()); |
||
106 | } |
||
107 | |||
108 | /** |
||
109 | * Get an external storage entry. |
||
110 | * |
||
111 | * @param int $id storage id |
||
112 | * @param bool $testOnly whether to storage should only test the connection or do more things |
||
113 | * @return DataResponse |
||
114 | * |
||
115 | * @NoAdminRequired |
||
116 | */ |
||
117 | View Code Duplication | public function show($id, $testOnly = true) { |
|
118 | try { |
||
119 | $storage = $this->service->getStorage($id); |
||
120 | |||
121 | $this->updateStorageStatus($storage, $testOnly); |
||
122 | } catch (NotFoundException $e) { |
||
123 | return new DataResponse( |
||
124 | [ |
||
125 | 'message' => (string)$this->l10n->t('Storage with id "%i" not found', [$id]) |
||
126 | ], |
||
127 | Http::STATUS_NOT_FOUND |
||
128 | ); |
||
129 | } |
||
130 | |||
131 | $this->sanitizeStorage($storage); |
||
132 | |||
133 | return new DataResponse( |
||
134 | $storage, |
||
135 | Http::STATUS_OK |
||
136 | ); |
||
137 | } |
||
138 | |||
139 | /** |
||
140 | * Update an external storage entry. |
||
141 | * Only allows setting user provided backend fields |
||
142 | * |
||
143 | * @param int $id storage id |
||
144 | * @param array $backendOptions backend-specific options |
||
145 | * @param bool $testOnly whether to storage should only test the connection or do more things |
||
146 | * |
||
147 | * @return DataResponse |
||
148 | * |
||
149 | * @NoAdminRequired |
||
150 | */ |
||
151 | public function update( |
||
152 | $id, |
||
153 | $backendOptions, |
||
154 | $testOnly = true |
||
155 | ) { |
||
156 | try { |
||
157 | $storage = $this->service->getStorage($id); |
||
158 | $authMechanism = $storage->getAuthMechanism(); |
||
159 | if ($authMechanism instanceof IUserProvided) { |
||
160 | $authMechanism->saveBackendOptions($this->userSession->getUser(), $id, $backendOptions); |
||
161 | $authMechanism->manipulateStorageConfig($storage, $this->userSession->getUser()); |
||
162 | } else { |
||
163 | return new DataResponse( |
||
164 | [ |
||
165 | 'message' => (string)$this->l10n->t('Storage with id "%i" is not user editable', [$id]) |
||
166 | ], |
||
167 | Http::STATUS_FORBIDDEN |
||
168 | ); |
||
169 | } |
||
170 | } catch (NotFoundException $e) { |
||
171 | return new DataResponse( |
||
172 | [ |
||
173 | 'message' => (string)$this->l10n->t('Storage with id "%i" not found', [$id]) |
||
174 | ], |
||
175 | Http::STATUS_NOT_FOUND |
||
176 | ); |
||
177 | } |
||
178 | |||
179 | $this->updateStorageStatus($storage, $testOnly); |
||
180 | $this->sanitizeStorage($storage); |
||
181 | |||
182 | return new DataResponse( |
||
183 | $storage, |
||
184 | Http::STATUS_OK |
||
185 | ); |
||
186 | } |
||
187 | |||
188 | /** |
||
189 | * Remove sensitive data from a IStorageConfig before returning it to the user |
||
190 | * |
||
191 | * @param IStorageConfig $storage |
||
192 | */ |
||
193 | protected function sanitizeStorage(IStorageConfig $storage) { |
||
194 | $storage->setBackendOptions([]); |
||
195 | $storage->setMountOptions([]); |
||
196 | |||
197 | if ($storage->getAuthMechanism() instanceof IUserProvided) { |
||
198 | try { |
||
199 | $storage->getAuthMechanism()->manipulateStorageConfig($storage, $this->userSession->getUser()); |
||
200 | } catch (InsufficientDataForMeaningfulAnswerException $e) { |
||
201 | // not configured yet |
||
202 | } |
||
203 | } |
||
204 | } |
||
205 | } |
||
206 |
Let’s take a look at an example:
In the above example, the authenticate() method works fine as long as you just pass instances of MyUser. However, if you now also want to pass a different implementation of User which does not have a getDisplayName() method, the code will break.
Available Fixes
Change the type-hint for the parameter:
Add an additional type-check:
Add the method to the interface: