open-dsi
/
nextcloud-server
mirror of https://github.com/nextcloud/server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

feat(Security): Warn about using annotations instead of attributes

Browse Source 
Signed-off-by: provokateurin <kate@provokateurin.de>
pull/46606/head
provokateurin 2 years ago
parent 1de5adf867
commit e5dcdfb9e0
No known key found for this signature in database
6 changed files with 31 additions and 14 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 4
      lib/private/AppFramework/DependencyInjection/DIContainer.php
  2. 6
      lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
  3. 3
      lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php
  4. 1
      lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
  5. 27
      tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php
  6. 4
      tests/lib/AppFramework/Middleware/Security/PasswordConfirmationMiddlewareTest.php

4
lib/private/AppFramework/DependencyInjection/DIContainer.php
Unescape View File

@ -207,7 +207,8 @@ class DIContainer extends SimpleContainer implements IAppContainer {
$c->get(IRequest::class),
$c->get(IControllerMethodReflector::class),
$c->get(IUserSession::class),
$c->get(IThrottler::class)
$c->get(IThrottler::class),
$c->get(LoggerInterface::class)
)
);
$dispatcher->registerMiddleware(
@ -251,6 +252,7 @@ class DIContainer extends SimpleContainer implements IAppContainer {
$c->get(IUserSession::class),
$c->get(ITimeFactory::class),
$c->get(\OC\Authentication\Token\IProvider::class),
$c->get(LoggerInterface::class),
)
);
$dispatcher->registerMiddleware(

6
lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
Unescape View File

@ -21,6 +21,7 @@ use OCP\AppFramework\Middleware;
use OCP\IRequest;
use OCP\ISession;
use OCP\Security\Bruteforce\IThrottler;
use Psr\Log\LoggerInterface;
use ReflectionMethod;
/**
@ -42,7 +43,9 @@ class CORSMiddleware extends Middleware {
public function __construct(IRequest $request,
ControllerMethodReflector $reflector,
Session $session,
IThrottler $throttler) {
IThrottler $throttler,
private readonly LoggerInterface $logger,
) {
$this->request = $request;
$this->reflector = $reflector;
$this->session = $session;
@ -103,6 +106,7 @@ class CORSMiddleware extends Middleware {
if (!empty($reflectionMethod->getAttributes($attributeClass))) {
$this->logger->debug($reflectionMethod->getDeclaringClass()->getName() . '::' . $reflectionMethod->getName() . ' uses the @' . $annotationName . ' annotation and should use the #[' . $attributeClass . '] attribute instead');
return true;
}

3
lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php
Unescape View File

@ -20,6 +20,7 @@ use OCP\ISession;
use OCP\IUserSession;
use OCP\Session\Exceptions\SessionNotAvailableException;
use OCP\User\Backend\IPasswordConfirmationBackend;
use Psr\Log\LoggerInterface;
use ReflectionMethod;
class PasswordConfirmationMiddleware extends Middleware {
@ -48,6 +49,7 @@ class PasswordConfirmationMiddleware extends Middleware {
IUserSession $userSession,
ITimeFactory $timeFactory,
IProvider $tokenProvider,
private readonly LoggerInterface $logger,
) {
$this->reflector = $reflector;
$this->session = $session;
@ -113,6 +115,7 @@ class PasswordConfirmationMiddleware extends Middleware {
}
if ($this->reflector->hasAnnotation($annotationName)) {
$this->logger->debug($reflectionMethod->getDeclaringClass()->getName() . '::' . $reflectionMethod->getName() . ' uses the @' . $annotationName . ' annotation and should use the #[' . $attributeClass . '] attribute instead');
return true;
}

1
lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
Unescape View File

@ -243,6 +243,7 @@ class SecurityMiddleware extends Middleware {
}
if ($this->reflector->hasAnnotation($annotationName)) {
$this->logger->debug($reflectionMethod->getDeclaringClass()->getName() . '::' . $reflectionMethod->getName() . ' uses the @' . $annotationName . ' annotation and should use the #[' . $attributeClass . '] attribute instead');
return true;
}

27
tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php
Unescape View File

@ -18,6 +18,7 @@ use OCP\IRequest;
use OCP\IRequestId;
use OCP\Security\Bruteforce\IThrottler;
use PHPUnit\Framework\MockObject\MockObject;
use Psr\Log\LoggerInterface;
use Test\AppFramework\Middleware\Security\Mock\CORSMiddlewareController;
class CORSMiddlewareTest extends \Test\TestCase {
@ -29,12 +30,14 @@ class CORSMiddlewareTest extends \Test\TestCase {
private $throttler;
/** @var CORSMiddlewareController */
private $controller;
private LoggerInterface $logger;
protected function setUp(): void {
parent::setUp();
$this->reflector = new ControllerMethodReflector();
$this->session = $this->createMock(Session::class);
$this->throttler = $this->createMock(IThrottler::class);
$this->logger = $this->createMock(LoggerInterface::class);
$this->controller = new CORSMiddlewareController(
'test',
$this->createMock(IRequest::class)
@ -62,7 +65,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
$this->createMock(IConfig::class)
);
$this->reflector->reflect($this->controller, $method);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
$response = $middleware->afterController($this->controller, $method, new Response());
$headers = $response->getHeaders();
@ -79,7 +82,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
$this->createMock(IRequestId::class),
$this->createMock(IConfig::class)
);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
$response = $middleware->afterController($this->controller, __FUNCTION__, new Response());
$headers = $response->getHeaders();
@ -103,7 +106,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
$this->createMock(IConfig::class)
);
$this->reflector->reflect($this->controller, $method);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
$response = $middleware->afterController($this->controller, $method, new Response());
$headers = $response->getHeaders();
@ -133,7 +136,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
$this->createMock(IConfig::class)
);
$this->reflector->reflect($this->controller, $method);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
$response = new Response();
$response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE');
@ -159,7 +162,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
$this->createMock(IConfig::class)
);
$this->reflector->reflect($this->controller, $method);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
$this->session->expects($this->once())
->method('isLoggedIn')
->willReturn(false);
@ -193,7 +196,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
$this->createMock(IConfig::class)
);
$this->reflector->reflect($this->controller, $method);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
$this->session->expects($this->once())
->method('isLoggedIn')
->willReturn(true);
@ -234,7 +237,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
->with($this->equalTo('user'), $this->equalTo('pass'))
->willReturn(true);
$this->reflector->reflect($this->controller, $method);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
$middleware->beforeController($this->controller, $method);
}
@ -267,7 +270,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
->with($this->equalTo('user'), $this->equalTo('pass'))
->will($this->throwException(new \OC\Authentication\Exceptions\PasswordLoginForbiddenException));
$this->reflector->reflect($this->controller, $method);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
$middleware->beforeController($this->controller, $method);
}
@ -300,7 +303,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
->with($this->equalTo('user'), $this->equalTo('pass'))
->willReturn(false);
$this->reflector->reflect($this->controller, $method);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
$middleware->beforeController($this->controller, $method);
}
@ -314,7 +317,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
$this->createMock(IRequestId::class),
$this->createMock(IConfig::class)
);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
$response = $middleware->afterException($this->controller, __FUNCTION__, new SecurityException('A security exception'));
$expected = new JSONResponse(['message' => 'A security exception'], 500);
@ -330,7 +333,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
$this->createMock(IRequestId::class),
$this->createMock(IConfig::class)
);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
$response = $middleware->afterException($this->controller, __FUNCTION__, new SecurityException('A security exception', 501));
$expected = new JSONResponse(['message' => 'A security exception'], 501);
@ -349,7 +352,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
$this->createMock(IRequestId::class),
$this->createMock(IConfig::class)
);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler, $this->logger);
$middleware->afterException($this->controller, __FUNCTION__, new \Exception('A regular exception'));
}
}

4
tests/lib/AppFramework/Middleware/Security/PasswordConfirmationMiddlewareTest.php
Unescape View File

@ -16,6 +16,7 @@ use OCP\IRequest;
use OCP\ISession;
use OCP\IUser;
use OCP\IUserSession;
use Psr\Log\LoggerInterface;
use Test\AppFramework\Middleware\Security\Mock\PasswordConfirmationMiddlewareController;
use Test\TestCase;
@ -35,6 +36,7 @@ class PasswordConfirmationMiddlewareTest extends TestCase {
/** @var ITimeFactory|\PHPUnit\Framework\MockObject\MockObject */
private $timeFactory;
private IProvider|\PHPUnit\Framework\MockObject\MockObject $tokenProvider;
private LoggerInterface $logger;
protected function setUp(): void {
$this->reflector = new ControllerMethodReflector();
@ -43,6 +45,7 @@ class PasswordConfirmationMiddlewareTest extends TestCase {
$this->user = $this->createMock(IUser::class);
$this->timeFactory = $this->createMock(ITimeFactory::class);
$this->tokenProvider = $this->createMock(IProvider::class);
$this->logger = $this->createMock(LoggerInterface::class);
$this->controller = new PasswordConfirmationMiddlewareController(
'test',
$this->createMock(IRequest::class)
@ -54,6 +57,7 @@ class PasswordConfirmationMiddlewareTest extends TestCase {
$this->userSession,
$this->timeFactory,
$this->tokenProvider,
$this->logger,
);
}

Write Preview
Loading…
Cancel
Save