Commit graph

59 commits

Author SHA1 Message Date
Lukas Reschke
f93a82b8b0
Remove explicit type hints for Controller
This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-01 17:32:03 +02:00
Morris Jobke
84c22fdeef Merge pull request #5907 from nextcloud/add-metadata-to-throttle-call
Add metadata to \OCP\AppFramework\Http\Response::throttle
2017-08-01 14:43:47 +02:00
Roeland Jago Douma
f71dc7523f
Fix tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-07-31 16:54:19 +02:00
Roeland Jago Douma
3548603a88
Fix middleware implementations signatures
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-07-31 16:54:19 +02:00
Lukas Reschke
f22ab3e665
Add metadata to \OCP\AppFramework\Http\Response::throttle
Fixes https://github.com/nextcloud/server/issues/5891

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-07-27 14:17:45 +02:00
Roeland Jago Douma
0b495ceff8
Remove deprecated Controller Functions
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-07-20 11:03:12 +02:00
Lukas Reschke
8149945a91
Make BruteForceProtection annotation more clever
This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware.

Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 23:05:33 +02:00
Lukas Reschke
31ae39c569
Add tests for multiple parameters
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 12:00:18 +02:00
Lukas Reschke
a1ae5275f9
Move to dedicated MiddleWare
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 12:00:17 +02:00
Lukas Reschke
66835476b5
Add support for ratelimiting via annotations
This allows adding rate limiting via annotations to controllers, as one example:

```
@UserRateThrottle(limit=5, period=100)
@AnonRateThrottle(limit=1, period=100)
```

Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 12:00:16 +02:00
Roeland Jago Douma
2a9192334e
Don't try to parse empty body if there is no body
Fixes #3890

If we do a put request without a body the current code still tries to
read the body. This patch makes sure that we do not try to read the body
if the content length is 0.

See RFC 2616 Section 4.3

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-04-04 08:22:33 +02:00
Morris Jobke
f9bc53146d
Fix unit tests
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-03-28 21:00:12 -06:00
Roeland Jago Douma
21641302a9
Add DI intergration tests
* Moved some interface definitions to Server.php (more to come)
* Build/Query only for existing classes in the AppContainer
* Build/Query only for classes of the App in the AppContainer
* Offload other stuff to the servercontainer

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 08:52:20 +01:00
Roeland Jago Douma
7cece61ff6
Extend DI tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 08:52:20 +01:00
Lukas Reschke
5f8f29508f
Adjust tests to include base-uri
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-16 18:12:10 +01:00
Lukas Reschke
adfd1e63f6
Add base-uri to CSP policy
As per https://twitter.com/we1x/status/842032709543333890 a nice security hardening

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-16 15:16:20 +01:00
Robin Appelman
9a8cef965f
add test for skipping cookie checks for ocs
Signed-off-by: Robin Appelman <robin@icewind.nl>
2017-03-10 14:11:00 +01:00
Christoph Wurst
5e728d0eda oc_token should be nc_token
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-02-02 21:56:44 +01:00
Bjoern Schiessle
0271ae3b46
add some unit tests
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-01-18 15:25:16 +01:00
Christoph Wurst
45c6301772
fix controller test
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-01-10 11:54:45 +01:00
Christoph Wurst
e3815b382d
fix data response test expected cache headers
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-01-10 10:13:08 +01:00
Christoph Wurst
fe6416072d
set 'no-store' cache header if we do not want FF to cache
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-01-09 21:29:59 +01:00
Morris Jobke
d86b29b42b Merge pull request #2066 from nextcloud/fix-redirect-double-encoding
do not double encode the redirect url
2016-11-29 17:21:43 +01:00
Lukas Reschke
a05b8b7953
Harden cookies more appropriate
This adds the __Host- prefix to the same-site cookies. This is a small but yet nice security hardening.

See https://googlechrome.github.io/samples/cookie-prefixes/ for the implications.

Fixes https://github.com/nextcloud/server/issues/1412

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-11-23 12:53:44 +01:00
Morris Jobke
332eaec4c0 Merge pull request #1447 from nextcloud/password-confirmation-for-some-actions
Password confirmation for some actions
2016-11-18 15:42:30 +01:00
Joas Schilling
b2d9c20aac
Fix unit tests
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-11-18 12:10:51 +01:00
Robin Appelman
e4d1cf0f6d
add tests for http/output
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-11-16 15:30:37 +01:00
Christoph Wurst
0ebffa4a5f do not double encode the redirect url
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-09 16:14:46 +01:00
Joas Schilling
c20ab0049f
Identify Chromium as Chrome
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-10-26 12:07:10 +02:00
Roeland Jago Douma
e351ba56f1
Move browserSupportsCspV3 to CSPNonceManager
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-25 22:03:10 +02:00
Lukas Reschke
9e6634814e
Add support for CSP nonces
CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce.

At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.)

IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO.

Implementing this offers the following advantages:

1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist
2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file.

If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-10-24 12:27:50 +02:00
Roeland Jago Douma
6dace7f6ad
Add tests 2016-09-15 13:11:36 +02:00
Roeland Jago Douma
4066f04c4b
Fix getMock MapperTestUtility 2016-09-07 20:42:37 +02:00
Roeland Jago Douma
3c55fe6bab
Split OCS version handling
This cleans up a bit the OCSController/Middleware. Since the 2 versions
of OCS differ a bit. Moved a lot of stuff internal since it is of no
concern to the outside.
2016-09-06 11:57:39 +02:00
Roeland Jago Douma
777c3ee325
Add FileDisplayResponse
A lazy implementation of the DisplayResponse that only hits the
filesystem if the etag and mtime do not match.
2016-09-05 15:09:54 +02:00
Roeland Jago Douma
21a87d3c2e
No body or content-length for 204 and 304 responses
See: https://tools.ietf.org/html/rfc7230#section-3.3
2016-08-31 23:07:48 +02:00
Joas Schilling
f9cea0b582 Merge pull request #797 from nextcloud/only-match-for-auth-cookie
Match only for actual session cookie
2016-08-31 15:59:16 +02:00
Lukas Reschke
d50e7ee36c
Remove reading PATH_INFO from server variable
Having two code paths for this is unreliable and can lead to bugs. Also, in some cases Apache isn't setting the PATH_INFO variable when mod_rewrite is used.

Fixes https://github.com/nextcloud/server/issues/983
2016-08-19 14:48:13 +02:00
Roeland Jago Douma
a0b22227fc
Add tests 2016-08-14 18:34:01 +02:00
Roeland Jago Douma
1f370c97ed
OCSController requires DataResponse
The OCS Controller requires a DataResponse object to be returned.
This means that all error handling will have to be done via exceptions
thrown and handling in the middleware.
2016-08-10 12:40:26 +02:00
Lukas Reschke
5214b62d55 Merge pull request #691 from nextcloud/ocs_allow_all_old_routes
Allow ocs/v2.php/cloud/... routes
2016-08-09 20:52:49 +02:00
Lukas Reschke
b53ea18ea5
Match only for actual session cookie
OVH has implemented load balancing in a very questionable way where the reverse proxy actually internally adds some cookies which would trigger a security exception. To work around this, this change only checks for the session cookie.
2016-08-09 19:23:08 +02:00
Roeland Jago Douma
0032a5c2d1
Hanlde Core and Settings app in AppFramework
'core' and 'settings' are just apps but we treat them slightly
different. Make sure that we construct the correct namespace so we can
actually do automatic AppFramework stuff.
2016-08-08 20:48:16 +02:00
Roeland Jago Douma
63f6d2d558
Allow ocs/v2.php/cloud/... routes
One of the possibilities of the old OCS API is that you can define the
url yourself.

This PR makes this possible again by adding an optional root elemenet to
the route. Routes are thus:

.../ocs/v2.php/<root>/<url>

By default <root> = apps/<app>

This will allow for example the provisioning API etc to be in
../ovs/v2/php/cloud/users
2016-08-08 15:01:26 +02:00
Roeland Jago Douma
5c718b13b8
We should properly check for 'true' instaed of the bool 2016-08-01 08:52:50 +02:00
Roeland Jago Douma
f7f5216aa3
Dark hackery to not always disable CSRF for OCS controllers 2016-07-29 15:49:27 +02:00
Roeland Jago Douma
8bdd0adcee
Support subdir in the OCS v2 endpoint
We should check against the ending substring since people could
run their nextcloud in a subfolder.

* Added test
2016-07-27 15:28:35 +02:00
Roeland Jago Douma
72b06d250d
Add tests 2016-07-22 12:53:47 +02:00
Lukas Reschke
c385423d10 Merge pull request #479 from nextcloud/add-bruteforce-throttler
Implement brute force protection
2016-07-21 00:31:02 +02:00
Lukas Reschke
ba4f12baa0
Implement brute force protection
Class Throttler implements the bruteforce protection for security actions in
Nextcloud.

It is working by logging invalid login attempts to the database and slowing
down all login attempts from the same subnet. The max delay is 30 seconds and
the starting delay are 200 milliseconds. (after the first failed login)
2016-07-20 22:08:56 +02:00