This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | /** |
||
3 | * @author Lukas Reschke <[email protected]> |
||
4 | * @author Morris Jobke <[email protected]> |
||
5 | * @author Roeland Jago Douma <[email protected]> |
||
6 | * @author Thomas Müller <[email protected]> |
||
7 | * |
||
8 | * @copyright Copyright (c) 2018, ownCloud GmbH |
||
9 | * @license AGPL-3.0 |
||
10 | * |
||
11 | * This code is free software: you can redistribute it and/or modify |
||
12 | * it under the terms of the GNU Affero General Public License, version 3, |
||
13 | * as published by the Free Software Foundation. |
||
14 | * |
||
15 | * This program is distributed in the hope that it will be useful, |
||
16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
18 | * GNU Affero General Public License for more details. |
||
19 | * |
||
20 | * You should have received a copy of the GNU Affero General Public License, version 3, |
||
21 | * along with this program. If not, see <http://www.gnu.org/licenses/> |
||
22 | * |
||
23 | */ |
||
24 | |||
25 | namespace OCA\Files_Sharing\Middleware; |
||
26 | |||
27 | use OCA\Files_Sharing\Exceptions\S2SException; |
||
28 | use OCP\App\IAppManager; |
||
29 | use OCP\AppFramework\Http\JSONResponse; |
||
30 | use OCP\AppFramework\Http\NotFoundResponse; |
||
31 | use OCP\AppFramework\Middleware; |
||
32 | use OCP\AppFramework\Utility\IControllerMethodReflector; |
||
33 | use OCP\Files\NotFoundException; |
||
34 | use OCP\IConfig; |
||
35 | |||
36 | /** |
||
37 | * Checks whether the "sharing check" is enabled |
||
38 | * |
||
39 | * @package OCA\Files_Sharing\Middleware |
||
40 | */ |
||
41 | class SharingCheckMiddleware extends Middleware { |
||
42 | |||
43 | /** @var string */ |
||
44 | protected $appName; |
||
45 | /** @var IConfig */ |
||
46 | protected $config; |
||
47 | /** @var IAppManager */ |
||
48 | protected $appManager; |
||
49 | /** @var IControllerMethodReflector */ |
||
50 | protected $reflector; |
||
51 | |||
52 | /*** |
||
53 | * @param string $appName |
||
54 | * @param IConfig $config |
||
55 | * @param IAppManager $appManager |
||
56 | */ |
||
57 | public function __construct($appName, |
||
58 | IConfig $config, |
||
59 | IAppManager $appManager, |
||
60 | IControllerMethodReflector $reflector |
||
61 | ) { |
||
62 | $this->appName = $appName; |
||
63 | $this->config = $config; |
||
64 | $this->appManager = $appManager; |
||
65 | $this->reflector = $reflector; |
||
66 | } |
||
67 | |||
68 | /** |
||
69 | * Check if sharing is enabled before the controllers is executed |
||
70 | * |
||
71 | * @param \OCP\AppFramework\Controller $controller |
||
72 | * @param string $methodName |
||
73 | * @throws NotFoundException |
||
74 | */ |
||
75 | public function beforeController($controller, $methodName) { |
||
76 | if (!$this->isSharingEnabled()) { |
||
77 | throw new NotFoundException('Sharing is disabled.'); |
||
78 | } |
||
79 | |||
80 | if ($controller instanceof \OCA\Files_Sharing\Controllers\ExternalSharesController && |
||
81 | !$this->externalSharesChecks()) { |
||
82 | throw new S2SException('Federated sharing not allowed'); |
||
83 | } elseif ($controller instanceof \OCA\Files_Sharing\Controllers\ShareController && |
||
84 | !$this->isLinkSharingEnabled()) { |
||
85 | throw new NotFoundException('Link sharing is disabled'); |
||
86 | } |
||
87 | } |
||
88 | |||
89 | /** |
||
90 | * Return 404 page in case of a not found exception |
||
91 | * |
||
92 | * @param \OCP\AppFramework\Controller $controller |
||
93 | * @param string $methodName |
||
94 | * @param \Exception $exception |
||
95 | * @return NotFoundResponse |
||
96 | * @throws \Exception |
||
97 | */ |
||
98 | public function afterException($controller, $methodName, \Exception $exception) { |
||
99 | if (\is_a($exception, '\OCP\Files\NotFoundException')) { |
||
100 | return new NotFoundResponse(); |
||
101 | } |
||
102 | |||
103 | if (\is_a($exception, '\OCA\Files_Sharing\Exceptions\S2SException')) { |
||
104 | return new JSONResponse($exception->getMessage(), 405); |
||
0 ignored issues
–
show
The return type of
return new \OCP\AppFrame...on->getMessage(), 405); (OCP\AppFramework\Http\JSONResponse ) is incompatible with the return type documented by OCA\Files_Sharing\Middle...dleware::afterException of type OCP\AppFramework\Http\NotFoundResponse .
If you return a value from a function or method, it should be a sub-type of the type that is given by the parent type f.e. an interface, or abstract method. This is more formally defined by the Lizkov substitution principle, and guarantees that classes that depend on the parent type can use any instance of a child type interchangably. This principle also belongs to the SOLID principles for object oriented design. Let’s take a look at an example: class Author {
private $name;
public function __construct($name) {
$this->name = $name;
}
public function getName() {
return $this->name;
}
}
abstract class Post {
public function getAuthor() {
return 'Johannes';
}
}
class BlogPost extends Post {
public function getAuthor() {
return new Author('Johannes');
}
}
class ForumPost extends Post { /* ... */ }
function my_function(Post $post) {
echo strtoupper($post->getAuthor());
}
Our function
Loading history...
|
|||
105 | } |
||
106 | |||
107 | throw $exception; |
||
108 | } |
||
109 | |||
110 | /** |
||
111 | * Checks for externalshares controller |
||
112 | * @return bool |
||
113 | */ |
||
114 | private function externalSharesChecks() { |
||
115 | if (!$this->reflector->hasAnnotation('NoIncomingFederatedSharingRequired') && |
||
116 | $this->config->getAppValue('files_sharing', 'incoming_server2server_share_enabled', 'yes') !== 'yes') { |
||
117 | return false; |
||
118 | } |
||
119 | |||
120 | if (!$this->reflector->hasAnnotation('NoOutgoingFederatedSharingRequired') && |
||
121 | $this->config->getAppValue('files_sharing', 'outgoing_server2server_share_enabled', 'yes') !== 'yes') { |
||
122 | return false; |
||
123 | } |
||
124 | |||
125 | return true; |
||
126 | } |
||
127 | |||
128 | /** |
||
129 | * Check whether sharing is enabled |
||
130 | * @return bool |
||
131 | */ |
||
132 | private function isSharingEnabled() { |
||
133 | // FIXME: This check is done here since the route is globally defined and not inside the files_sharing app |
||
134 | // Check whether the sharing application is enabled |
||
135 | if (!$this->appManager->isEnabledForUser($this->appName)) { |
||
136 | return false; |
||
137 | } |
||
138 | |||
139 | return true; |
||
140 | } |
||
141 | |||
142 | /** |
||
143 | * Check if link sharing is allowed |
||
144 | * @return bool |
||
145 | */ |
||
146 | private function isLinkSharingEnabled() { |
||
147 | // Check if the shareAPI is enabled |
||
148 | if ($this->config->getAppValue('core', 'shareapi_enabled', 'yes') !== 'yes') { |
||
149 | return false; |
||
150 | } |
||
151 | |||
152 | // Check whether public sharing is enabled |
||
153 | if ($this->config->getAppValue('core', 'shareapi_allow_links', 'yes') !== 'yes') { |
||
154 | return false; |
||
155 | } |
||
156 | |||
157 | return true; |
||
158 | } |
||
159 | } |
||
160 |
It seems like the type of the argument is not accepted by the function/method which you are calling.
In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.
We suggest to add an explicit type cast like in the following example: