fix(caldav): limit vevent size

Signed-off-by: SebastianKrupinski <krupinskis05@gmail.com>
1 year ago · 247fbb5538
parent a8e581ca94
commit 247fbb5538
6 changed files with 119 additions and 0 deletions
--- a/apps/dav/appinfo/v1/caldav.php
+++ b/apps/dav/appinfo/v1/caldav.php
@ -10,6 +10,7 @@ use OC\KnownUser\KnownUserService;
 use OCA\DAV\CalDAV\CalDavBackend;
 use OCA\DAV\CalDAV\CalendarRoot;
 use OCA\DAV\CalDAV\Security\RateLimitingPlugin;
+use OCA\DAV\CalDAV\Validation\CalDavValidatePlugin;
 use OCA\DAV\Connector\LegacyDAVACL;
 use OCA\DAV\Connector\Sabre\Auth;
 use OCA\DAV\Connector\Sabre\ExceptionLoggerPlugin;
@ -98,6 +99,7 @@ if ($sendInvitations) {
 }
 $server->addPlugin(new ExceptionLoggerPlugin('caldav', $logger));
 $server->addPlugin(\OCP\Server::get(RateLimitingPlugin::class));
+$server->addPlugin(\OCP\Server::get(CalDavValidatePlugin::class));

 // And off we go!
 $server->exec();
--- a/apps/dav/composer/composer/autoload_classmap.php
+++ b/apps/dav/composer/composer/autoload_classmap.php
@ -112,6 +112,7 @@ return array(
    'OCA\\DAV\\CalDAV\\Trashbin\\Plugin' => $baseDir . '/../lib/CalDAV/Trashbin/Plugin.php',
    'OCA\\DAV\\CalDAV\\Trashbin\\RestoreTarget' => $baseDir . '/../lib/CalDAV/Trashbin/RestoreTarget.php',
    'OCA\\DAV\\CalDAV\\Trashbin\\TrashbinHome' => $baseDir . '/../lib/CalDAV/Trashbin/TrashbinHome.php',
+    'OCA\\DAV\\CalDAV\\Validation\\CalDavValidatePlugin' => $baseDir . '/../lib/CalDAV/Validation/CalDavValidatePlugin.php',
    'OCA\\DAV\\CalDAV\\WebcalCaching\\Plugin' => $baseDir . '/../lib/CalDAV/WebcalCaching/Plugin.php',
    'OCA\\DAV\\CalDAV\\WebcalCaching\\RefreshWebcalService' => $baseDir . '/../lib/CalDAV/WebcalCaching/RefreshWebcalService.php',
    'OCA\\DAV\\Capabilities' => $baseDir . '/../lib/Capabilities.php',
--- a/apps/dav/composer/composer/autoload_static.php
+++ b/apps/dav/composer/composer/autoload_static.php
@ -127,6 +127,7 @@ class ComposerStaticInitDAV
        'OCA\\DAV\\CalDAV\\Trashbin\\Plugin' => __DIR__ . '/..' . '/../lib/CalDAV/Trashbin/Plugin.php',
        'OCA\\DAV\\CalDAV\\Trashbin\\RestoreTarget' => __DIR__ . '/..' . '/../lib/CalDAV/Trashbin/RestoreTarget.php',
        'OCA\\DAV\\CalDAV\\Trashbin\\TrashbinHome' => __DIR__ . '/..' . '/../lib/CalDAV/Trashbin/TrashbinHome.php',
+        'OCA\\DAV\\CalDAV\\Validation\\CalDavValidatePlugin' => __DIR__ . '/..' . '/../lib/CalDAV/Validation/CalDavValidatePlugin.php',
        'OCA\\DAV\\CalDAV\\WebcalCaching\\Plugin' => __DIR__ . '/..' . '/../lib/CalDAV/WebcalCaching/Plugin.php',
        'OCA\\DAV\\CalDAV\\WebcalCaching\\RefreshWebcalService' => __DIR__ . '/..' . '/../lib/CalDAV/WebcalCaching/RefreshWebcalService.php',
        'OCA\\DAV\\Capabilities' => __DIR__ . '/..' . '/../lib/Capabilities.php',
--- a/apps/dav/lib/CalDAV/Validation/CalDavValidatePlugin.php
+++ b/apps/dav/lib/CalDAV/Validation/CalDavValidatePlugin.php
@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCA\DAV\CalDAV\Validation;
+
+use OCA\DAV\AppInfo\Application;
+use OCP\IAppConfig;
+use Sabre\DAV\Exception\Forbidden;
+use Sabre\DAV\Server;
+use Sabre\DAV\ServerPlugin;
+use Sabre\HTTP\RequestInterface;
+use Sabre\HTTP\ResponseInterface;
+
+class CalDavValidatePlugin extends ServerPlugin {
+
+	public function __construct(
+		private IAppConfig $config
+	) {
+	}
+
+	public function initialize(Server $server): void {
+		$server->on('beforeMethod:PUT', [$this, 'beforePut']);
+	}
+
+	public function beforePut(RequestInterface $request, ResponseInterface $response): bool {
+		// evaluate if card size exceeds defined limit
+		$eventSizeLimit = $this->config->getValueInt(Application::APP_ID, 'event_size_limit', 10485760);
+		if ((int) $request->getRawServerValue('CONTENT_LENGTH') > $eventSizeLimit) {
+			throw new Forbidden("VEvent or VTodo object exceeds $eventSizeLimit bytes");
+		}
+		// all tests passed return true
+		return true;
+	}
+
+}
--- a/apps/dav/lib/Server.php
+++ b/apps/dav/lib/Server.php
@ -11,6 +11,7 @@ use OCA\DAV\BulkUpload\BulkUploadPlugin;
 use OCA\DAV\CalDAV\BirthdayService;
 use OCA\DAV\CalDAV\Schedule\IMipPlugin;
 use OCA\DAV\CalDAV\Security\RateLimitingPlugin;
+use OCA\DAV\CalDAV\Validation\CalDavValidatePlugin;
 use OCA\DAV\CardDAV\HasPhotoPlugin;
 use OCA\DAV\CardDAV\ImageExportPlugin;
 use OCA\DAV\CardDAV\MultiGetExportPlugin;
@ -167,6 +168,7 @@ class Server {
 			));

 			$this->server->addPlugin(\OCP\Server::get(RateLimitingPlugin::class));
+			$this->server->addPlugin(\OCP\Server::get(CalDavValidatePlugin::class));
 		}

 		// addressbook plugins
--- a/apps/dav/tests/unit/CalDAV/Validation/CalDavValidatePluginTest.php
+++ b/apps/dav/tests/unit/CalDAV/Validation/CalDavValidatePluginTest.php
@ -0,0 +1,73 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\DAV\Tests\unit\CalDAV\Validation;
+
+use OCA\DAV\CalDAV\Validation\CalDavValidatePlugin;
+use OCP\IAppConfig;
+use PHPUnit\Framework\MockObject\MockObject;
+use Sabre\DAV\Exception\Forbidden;
+use Sabre\HTTP\RequestInterface;
+use Sabre\HTTP\ResponseInterface;
+use Test\TestCase;
+
+class CalDavValidatePluginTest extends TestCase {
+
+	private CalDavValidatePlugin $plugin;
+	private IAppConfig|MockObject $config;
+	private RequestInterface|MockObject $request;
+	private ResponseInterface|MockObject $response;
+
+	protected function setUp(): void {
+		parent::setUp();
+		// construct mock objects
+		$this->config = $this->createMock(IAppConfig::class);
+		$this->request = $this->createMock(RequestInterface::class);
+		$this->response = $this->createMock(ResponseInterface::class);
+		$this->plugin = new CalDavValidatePlugin(
+			$this->config,
+		);
+	}
+
+	public function testPutSizeLessThenLimit(): void {
+		
+		// construct method responses
+		$this->config
+			->method('getValueInt')
+			->with('dav', 'event_size_limit', 10485760)
+			->willReturn(10485760);
+		$this->request
+			->method('getRawServerValue')
+			->with('CONTENT_LENGTH')
+			->willReturn('1024');
+		// test condition
+		$this->assertTrue(
+			$this->plugin->beforePut($this->request, $this->response)
+		);
+		
+	}
+
+	public function testPutSizeMoreThenLimit(): void {
+		
+		// construct method responses
+		$this->config
+			->method('getValueInt')
+			->with('dav', 'event_size_limit', 10485760)
+			->willReturn(10485760);
+		$this->request
+			->method('getRawServerValue')
+			->with('CONTENT_LENGTH')
+			->willReturn('16242880');
+		$this->expectException(Forbidden::class);
+		// test condition
+		$this->plugin->beforePut($this->request, $this->response);
+		
+	}
+
+}