Skip to content

Commit

Permalink
fix: Apply checks on shares in the middleware
Browse files Browse the repository at this point in the history
Signed-off-by: Julius Härtl <[email protected]>
Signed-off-by: Max <[email protected]>
  • Loading branch information
juliusknorr authored and max-nextcloud committed Oct 2, 2024
1 parent 9d7f7c7 commit 9adddea
Showing 1 changed file with 22 additions and 2 deletions.
24 changes: 22 additions & 2 deletions lib/Middleware/SessionMiddleware.php
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,12 @@
use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\Http\Response;
use OCP\AppFramework\Middleware;
use OCP\Constants;
use OCP\Files\IRootFolder;
use OCP\Files\NotPermittedException;
use OCP\IL10N;
use OCP\IRequest;
use OCP\ISession;
use OCP\IUserSession;
use OCP\Share\Exceptions\ShareNotFound;
use OCP\Share\IManager as ShareManager;
Expand All @@ -31,6 +33,7 @@ public function __construct(
private IRequest $request,
private SessionService $sessionService,
private DocumentService $documentService,
private ISession $session,
private IUserSession $userSession,
private IRootFolder $rootFolder,
private ShareManager $shareManager,
Expand Down Expand Up @@ -126,8 +129,25 @@ private function assertUserOrShareToken(ISessionAwareController $controller): vo
} catch (ShareNotFound) {
throw new InvalidSessionException();
}
// Check if shareToken has access to document
if (count($this->rootFolder->getUserFolder($share->getShareOwner())->getById($documentId)) === 0) {

$node = $this->rootFolder->getUserFolder($share->getShareOwner())->getById($documentId)[0]
if ($node === null) {

Check failure on line 134 in lib/Middleware/SessionMiddleware.php

View workflow job for this annotation

GitHub Actions / static-psalm-analysis

ParseError

lib/Middleware/SessionMiddleware.php:134:4: ParseError: Syntax error, unexpected T_IF on line 134 (see https://psalm.dev/173)

Check failure on line 134 in lib/Middleware/SessionMiddleware.php

View workflow job for this annotation

GitHub Actions / static-psalm-analysis

DocblockTypeContradiction

lib/Middleware/SessionMiddleware.php:134:8: DocblockTypeContradiction: OCP\Files\Node does not contain null (see https://psalm.dev/155)
throw new InvalidSessionException();
}

if ($share->getPassword() !== null) {

Check failure on line 138 in lib/Middleware/SessionMiddleware.php

View workflow job for this annotation

GitHub Actions / static-psalm-analysis

RedundantConditionGivenDocblockType

lib/Middleware/SessionMiddleware.php:138:8: RedundantConditionGivenDocblockType: Docblock-defined type string can never contain null (see https://psalm.dev/156)
$shareId = $this->session->get('public_link_authenticated');
if ($share->getId() !== $shareId) {
throw new InvalidSessionException();
}
}

if (($share->getPermissions() & Constants::PERMISSION_READ) !== Constants::PERMISSION_READ) {
throw new InvalidSessionException();
}

$attributes = $share->getAttributes();
if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
throw new InvalidSessionException();
}
} else {
Expand Down

0 comments on commit 9adddea

Please sign in to comment.