fix: SSE files being mistaken for E2EE

Signed-off-by: Alyx <[email protected]> Signed-off-by: Louis Chemineau <[email protected]>
nextcloud · Mar 14, 2024 · 60193e0 · 60193e0
1 parent f3d39a3
commit 60193e0
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 19 deletions.
diff --git a/lib/E2EEnabledPathCache.php b/lib/E2EEnabledPathCache.php
@@ -28,6 +28,9 @@
 use OCP\Files\Cache\ICache;
 use OCP\Files\IHomeStorage;
 use OCP\Files\Node;
+use OCP\Files\Folder;
+use OCP\Files\Node;
+use OCP\Files\InvalidPathException;
 use OCP\Files\NotFoundException;
 use OCP\Files\Storage\IStorage;
 
@@ -45,53 +48,82 @@ public function __construct() {
 	}
 
 	/**
-	 * Checks if the path is an E2E folder or inside an E2E folder
+	 * Checks if the node is an E2EE folder or inside an E2EE folder.
+	 *
+	 * @return bool true, if the node is valid and E2EE, false otherwise
 	 */
 	public function isE2EEnabledPath(Node $node): bool {
-		if ($node->isEncrypted()) {
+		// only checking for $node->isEncrypted() will lead to false-positives for SSE files,
+		// as they have the encryption flag set but are not E2E, so we need to check the folder's flag,
+		// as folders having the encryption flag set are always E2E
+		if ($node instanceof Folder && $node->isEncrypted()) {
 			return true;
 		}
-		$storage = $node->getStorage();
-		$cache = $storage->getCache();
-		return $this->getEncryptedStates($cache, $node, $storage);
+
+		try {
+			$storage = $node->getStorage();
+		} catch (NotFoundException $e) {
+			return false;
+		}
+		// if not home storage, fallback to EncryptionManager
+		if (!$storage->instanceOfStorage(IHomeStorage::class)) {
+			return EncryptionManager::isEncryptedFile($node);
+		}
+
+		// walk path backwards while caching each node's state
+		return $this->getEncryptedStates((string) $storage->getCache()->getNumericStorageId(), $node);
 	}
 
 	/**
-	 * Get the encryption state for the path
+	 * Determines a node's E2E encryption state by walking up the tree. Caches each node's state on the way.
+	 *
+	 * @param string $storageId the node's storage id, used for caching
+	 * @param Node $node the node to check
+	 *
+	 * @return bool true, if the node is valid and E2EE, false otherwise
 	 */
-	protected function getEncryptedStates(ICache $cache, Node $node, IStorage $storage): bool {
-		if (!$storage->instanceOfStorage(IHomeStorage::class)) {
+	protected function getEncryptedStates(string $storageId, Node $node): bool {
+		try {
+			$nodeId = $node->getId();
+		} catch (InvalidPathException|NotFoundException $e) {
 			return false;
 		}
 
-		$storageId = (string)$cache->getNumericStorageId();
+		// initialize array for storage id if necessary
 		if (!isset($this->perStorageEncryptedStateCache[$storageId])) {
 			$this->perStorageEncryptedStateCache[$storageId] = [];
 		}
-		if (isset($this->perStorageEncryptedStateCache[$storageId][$node->getId()])) {
-			return $this->perStorageEncryptedStateCache[$storageId][$node->getId()];
+		// return cached state if available
+		else if (isset($this->perStorageEncryptedStateCache[$storageId][$nodeId])) {
+			return $this->perStorageEncryptedStateCache[$storageId][$nodeId];
 		}
 
 		if ($node->getPath() === '/') {
 			// root is never encrypted
-			$this->perStorageEncryptedStateCache[$storageId][$node->getId()] = false;
+			$this->perStorageEncryptedStateCache[$storageId][$nodeId] = false;
 			return false;
 		}
 
-		if ($node->isEncrypted()) {
-			// no need to go further down in the tree
-			$this->perStorageEncryptedStateCache[$storageId][$node->getId()] = true;
+		// checking for folder for the same reason as above
+		if ($node instanceof Folder && $node->isEncrypted()) {
+			// no need to go further up in the tree
+			$this->perStorageEncryptedStateCache[$storageId][$nodeId] = true;
 			return true;
 		}
 
 		try {
 			$parentNode = $node->getParent();
 		} catch (NotFoundException $e) {
-			$this->perStorageEncryptedStateCache[$storageId][$node->getId()] = false;
+			// node not encrypted and no parent that could be E2EE, so node is not E2EE
+			$this->perStorageEncryptedStateCache[$storageId][$nodeId] = false;
 			return false;
 		}
-		$encrypted = $this->getEncryptedStates($cache, $parentNode, $storage);
-		$this->perStorageEncryptedStateCache[$storageId][$node->getId()] = $encrypted;
+
+		// check parent's state
+		$encrypted = $this->getEncryptedStates($storageId, $parentNode);
+
+		// if any parent is E2EE, this node is E2EE as well
+		$this->perStorageEncryptedStateCache[$storageId][$nodeId] = $encrypted;
 		return $encrypted;
 	}
 }
diff --git a/lib/EncryptionManager.php b/lib/EncryptionManager.php
@@ -84,7 +84,13 @@ public function removeEncryptionFlag(int $id): void {
 	/**
 	 * Check if a file is in a folder marked as encrypted
 	 */
-	public function isEncryptedFile(Node $node): bool {
+	public static function isEncryptedFile(Node $node): bool {
+		// traverse up if node is not a folder to prevent false positives for SSE files
+		// (see E2EEnabledPathCache#isE2EEnabledPath)
+		if (!($node instanceof Folder)) {
+			$node = $node->getParent();
+		}
+
 		do {
 			if ($node->isEncrypted()) {
 				return true;