Make OC\IntegrityCheck strict
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
parent
7c6cc013eb
commit
4d5f2e64a5
6 changed files with 38 additions and 33 deletions
|
@ -1,4 +1,5 @@
|
|||
<?php
|
||||
declare(strict_types=1);
|
||||
/**
|
||||
* @copyright Copyright (c) 2016, ownCloud, Inc.
|
||||
*
|
||||
|
@ -97,9 +98,9 @@ class Checker {
|
|||
*
|
||||
* @return bool
|
||||
*/
|
||||
public function isCodeCheckEnforced() {
|
||||
public function isCodeCheckEnforced(): bool {
|
||||
$notSignedChannels = [ '', 'git'];
|
||||
if (in_array($this->environmentHelper->getChannel(), $notSignedChannels, true)) {
|
||||
if (\in_array($this->environmentHelper->getChannel(), $notSignedChannels, true)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -108,10 +109,9 @@ class Checker {
|
|||
* applicable for very specific scenarios and we should not advertise it
|
||||
* too prominent. So please do not add it to config.sample.php.
|
||||
*/
|
||||
$isIntegrityCheckDisabled = false;
|
||||
if ($this->config !== null) {
|
||||
$isIntegrityCheckDisabled = $this->config->getSystemValue('integrity.check.disabled', false);
|
||||
} else {
|
||||
$isIntegrityCheckDisabled = false;
|
||||
}
|
||||
if ($isIntegrityCheckDisabled === true) {
|
||||
return false;
|
||||
|
@ -128,7 +128,7 @@ class Checker {
|
|||
* @return \RecursiveIteratorIterator
|
||||
* @throws \Exception
|
||||
*/
|
||||
private function getFolderIterator($folderToIterate, $root = '') {
|
||||
private function getFolderIterator(string $folderToIterate, string $root = ''): \RecursiveIteratorIterator {
|
||||
$dirItr = new \RecursiveDirectoryIterator(
|
||||
$folderToIterate,
|
||||
\RecursiveDirectoryIterator::SKIP_DOTS
|
||||
|
@ -156,12 +156,12 @@ class Checker {
|
|||
* @return array Array of hashes.
|
||||
*/
|
||||
private function generateHashes(\RecursiveIteratorIterator $iterator,
|
||||
$path) {
|
||||
string $path): array {
|
||||
$hashes = [];
|
||||
$copiedWebserverSettingFiles = false;
|
||||
$tmpFolder = '';
|
||||
|
||||
$baseDirectoryLength = strlen($path);
|
||||
$baseDirectoryLength = \strlen($path);
|
||||
foreach($iterator as $filename => $data) {
|
||||
/** @var \DirectoryIterator $data */
|
||||
if($data->isDir()) {
|
||||
|
@ -220,7 +220,7 @@ class Checker {
|
|||
if($filename === $this->environmentHelper->getServerRoot() . '/.htaccess') {
|
||||
$fileContent = file_get_contents($tmpFolder . '/.htaccess');
|
||||
$explodedArray = explode('#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####', $fileContent);
|
||||
if(count($explodedArray) === 2) {
|
||||
if(\count($explodedArray) === 2) {
|
||||
$hashes[$relativeFileName] = hash('sha512', $explodedArray[0]);
|
||||
continue;
|
||||
}
|
||||
|
@ -238,11 +238,11 @@ class Checker {
|
|||
* @param array $hashes
|
||||
* @param X509 $certificate
|
||||
* @param RSA $privateKey
|
||||
* @return string
|
||||
* @return array
|
||||
*/
|
||||
private function createSignatureData(array $hashes,
|
||||
X509 $certificate,
|
||||
RSA $privateKey) {
|
||||
RSA $privateKey): array {
|
||||
ksort($hashes);
|
||||
|
||||
$privateKey->setSignatureMode(RSA::SIGNATURE_PSS);
|
||||
|
@ -328,13 +328,13 @@ class Checker {
|
|||
* @throws InvalidSignatureException
|
||||
* @throws \Exception
|
||||
*/
|
||||
private function verify($signaturePath, $basePath, $certificateCN) {
|
||||
private function verify(string $signaturePath, string $basePath, string $certificateCN): array {
|
||||
if(!$this->isCodeCheckEnforced()) {
|
||||
return [];
|
||||
}
|
||||
|
||||
$signatureData = json_decode($this->fileAccessHelper->file_get_contents($signaturePath), true);
|
||||
if(!is_array($signatureData)) {
|
||||
if(!\is_array($signatureData)) {
|
||||
throw new InvalidSignatureException('Signature data not found.');
|
||||
}
|
||||
|
||||
|
@ -422,7 +422,7 @@ class Checker {
|
|||
*
|
||||
* @return bool
|
||||
*/
|
||||
public function hasPassedCheck() {
|
||||
public function hasPassedCheck(): bool {
|
||||
$results = $this->getResults();
|
||||
if(empty($results)) {
|
||||
return true;
|
||||
|
@ -434,9 +434,9 @@ class Checker {
|
|||
/**
|
||||
* @return array
|
||||
*/
|
||||
public function getResults() {
|
||||
public function getResults(): array {
|
||||
$cachedResults = $this->cache->get(self::CACHE_KEY);
|
||||
if(!is_null($cachedResults)) {
|
||||
if(!\is_null($cachedResults)) {
|
||||
return json_decode($cachedResults, true);
|
||||
}
|
||||
|
||||
|
@ -452,7 +452,7 @@ class Checker {
|
|||
* @param string $scope
|
||||
* @param array $result
|
||||
*/
|
||||
private function storeResults($scope, array $result) {
|
||||
private function storeResults(string $scope, array $result) {
|
||||
$resultArray = $this->getResults();
|
||||
unset($resultArray[$scope]);
|
||||
if(!empty($result)) {
|
||||
|
@ -505,7 +505,7 @@ class Checker {
|
|||
* @param string $path Optional path. If none is given it will be guessed.
|
||||
* @return array
|
||||
*/
|
||||
public function verifyAppSignature($appId, $path = '') {
|
||||
public function verifyAppSignature(string $appId, string $path = ''): array {
|
||||
try {
|
||||
if($path === '') {
|
||||
$path = $this->appLocator->getAppPath($appId);
|
||||
|
@ -518,7 +518,7 @@ class Checker {
|
|||
} catch (\Exception $e) {
|
||||
$result = [
|
||||
'EXCEPTION' => [
|
||||
'class' => get_class($e),
|
||||
'class' => \get_class($e),
|
||||
'message' => $e->getMessage(),
|
||||
],
|
||||
];
|
||||
|
@ -558,7 +558,7 @@ class Checker {
|
|||
*
|
||||
* @return array
|
||||
*/
|
||||
public function verifyCoreSignature() {
|
||||
public function verifyCoreSignature(): array {
|
||||
try {
|
||||
$result = $this->verify(
|
||||
$this->environmentHelper->getServerRoot() . '/core/signature.json',
|
||||
|
@ -568,7 +568,7 @@ class Checker {
|
|||
} catch (\Exception $e) {
|
||||
$result = [
|
||||
'EXCEPTION' => [
|
||||
'class' => get_class($e),
|
||||
'class' => \get_class($e),
|
||||
'message' => $e->getMessage(),
|
||||
],
|
||||
];
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
<?php
|
||||
declare(strict_types=1);
|
||||
/**
|
||||
* @copyright Copyright (c) 2016, ownCloud, Inc.
|
||||
*
|
||||
|
@ -37,7 +38,7 @@ class AppLocator {
|
|||
* @return string
|
||||
* @throws \Exception If the app cannot be found
|
||||
*/
|
||||
public function getAppPath($appId) {
|
||||
public function getAppPath(string $appId): string {
|
||||
$path = \OC_App::getAppPath($appId);
|
||||
if($path === false) {
|
||||
|
||||
|
@ -51,7 +52,7 @@ class AppLocator {
|
|||
*
|
||||
* @return array
|
||||
*/
|
||||
public function getAllApps() {
|
||||
public function getAllApps(): array {
|
||||
return \OC_App::getAllApps();
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
<?php
|
||||
declare(strict_types=1);
|
||||
/**
|
||||
* @copyright Copyright (c) 2016, ownCloud, Inc.
|
||||
*
|
||||
|
@ -34,7 +35,7 @@ class EnvironmentHelper {
|
|||
*
|
||||
* @return string
|
||||
*/
|
||||
public function getServerRoot() {
|
||||
public function getServerRoot(): string {
|
||||
return rtrim(\OC::$SERVERROOT, '/');
|
||||
}
|
||||
|
||||
|
@ -43,7 +44,7 @@ class EnvironmentHelper {
|
|||
*
|
||||
* @return string
|
||||
*/
|
||||
public function getChannel() {
|
||||
public function getChannel(): string {
|
||||
return \OC_Util::getChannel();
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
<?php
|
||||
declare(strict_types=1);
|
||||
/**
|
||||
* @copyright Copyright (c) 2016, ownCloud, Inc.
|
||||
*
|
||||
|
@ -36,7 +37,7 @@ class FileAccessHelper {
|
|||
* @param string $filename
|
||||
* @return string|false
|
||||
*/
|
||||
public function file_get_contents($filename) {
|
||||
public function file_get_contents(string $filename) {
|
||||
return file_get_contents($filename);
|
||||
}
|
||||
|
||||
|
@ -46,7 +47,7 @@ class FileAccessHelper {
|
|||
* @param string $filename
|
||||
* @return bool
|
||||
*/
|
||||
public function file_exists($filename) {
|
||||
public function file_exists(string $filename): bool {
|
||||
return file_exists($filename);
|
||||
}
|
||||
|
||||
|
@ -58,9 +59,9 @@ class FileAccessHelper {
|
|||
* @return int
|
||||
* @throws \Exception
|
||||
*/
|
||||
public function file_put_contents($filename, $data) {
|
||||
public function file_put_contents(string $filename, string $data): int {
|
||||
$bytesWritten = @file_put_contents($filename, $data);
|
||||
if ($bytesWritten === false || $bytesWritten !== strlen($data)){
|
||||
if ($bytesWritten === false || $bytesWritten !== \strlen($data)){
|
||||
throw new \Exception('Failed to write into ' . $filename);
|
||||
}
|
||||
return $bytesWritten;
|
||||
|
@ -70,7 +71,7 @@ class FileAccessHelper {
|
|||
* @param string $path
|
||||
* @return bool
|
||||
*/
|
||||
public function is_writable($path) {
|
||||
public function is_writable(string $path): bool {
|
||||
return is_writable($path);
|
||||
}
|
||||
|
||||
|
@ -78,7 +79,7 @@ class FileAccessHelper {
|
|||
* @param string $path
|
||||
* @throws \Exception
|
||||
*/
|
||||
public function assertDirectoryExists($path) {
|
||||
public function assertDirectoryExists(string $path) {
|
||||
if (!is_dir($path)) {
|
||||
throw new \Exception('Directory ' . $path . ' does not exist.');
|
||||
}
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
<?php
|
||||
declare(strict_types=1);
|
||||
/**
|
||||
* @copyright Copyright (c) 2016, ownCloud, Inc.
|
||||
*
|
||||
|
@ -52,7 +53,7 @@ class ExcludeFileByNameFilterIterator extends \RecursiveFilterIterator {
|
|||
return true;
|
||||
}
|
||||
|
||||
return !in_array(
|
||||
return !\in_array(
|
||||
$this->current()->getFilename(),
|
||||
$this->excludedFilenames,
|
||||
true
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
<?php
|
||||
declare(strict_types=1);
|
||||
/**
|
||||
* @copyright Copyright (c) 2016, ownCloud, Inc.
|
||||
*
|
||||
|
@ -24,7 +25,7 @@
|
|||
namespace OC\IntegrityCheck\Iterator;
|
||||
|
||||
class ExcludeFoldersByPathFilterIterator extends \RecursiveFilterIterator {
|
||||
private $excludedFolders = [];
|
||||
private $excludedFolders;
|
||||
|
||||
public function __construct(\RecursiveIterator $iterator, $root = '') {
|
||||
parent::__construct($iterator);
|
||||
|
@ -59,7 +60,7 @@ class ExcludeFoldersByPathFilterIterator extends \RecursiveFilterIterator {
|
|||
* @return bool
|
||||
*/
|
||||
public function accept() {
|
||||
return !in_array(
|
||||
return !\in_array(
|
||||
$this->current()->getPathName(),
|
||||
$this->excludedFolders,
|
||||
true
|
||||
|
|
Loading…
Reference in a new issue