Add security.txt

Ref https://securitytxt.org

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>

apps/settings/composer/composer/autoload_classmap.php

@@ -65,4 +65,5 @@ return array(
     'OCA\\Settings\\SetupChecks\\PhpDefaultCharset' => $baseDir . '/../lib/SetupChecks/PhpDefaultCharset.php',
     'OCA\\Settings\\SetupChecks\\PhpOutputBuffering' => $baseDir . '/../lib/SetupChecks/PhpOutputBuffering.php',
     'OCA\\Settings\\SetupChecks\\SupportedDatabase' => $baseDir . '/../lib/SetupChecks/SupportedDatabase.php',
+    'OCA\\Settings\\WellKnown\\SecurityTxtHandler' => $baseDir . '/../lib/WellKnown/SecurityTxtHandler.php',
 );

apps/settings/composer/composer/autoload_static.php

@@ -80,6 +80,7 @@ class ComposerStaticInitSettings
         'OCA\\Settings\\SetupChecks\\PhpDefaultCharset' => __DIR__ . '/..' . '/../lib/SetupChecks/PhpDefaultCharset.php',
         'OCA\\Settings\\SetupChecks\\PhpOutputBuffering' => __DIR__ . '/..' . '/../lib/SetupChecks/PhpOutputBuffering.php',
         'OCA\\Settings\\SetupChecks\\SupportedDatabase' => __DIR__ . '/..' . '/../lib/SetupChecks/SupportedDatabase.php',
+        'OCA\\Settings\\WellKnown\\SecurityTxtHandler' => __DIR__ . '/..' . '/../lib/WellKnown/SecurityTxtHandler.php',
     );
 
     public static function getInitializer(ClassLoader $loader)

apps/settings/lib/AppInfo/Application.php

@@ -45,6 +45,7 @@ use OCA\Settings\Mailer\NewUserMailHelper;
 use OCA\Settings\Middleware\SubadminMiddleware;
 use OCA\Settings\Search\AppSearch;
 use OCA\Settings\Search\SectionSearch;
+use OCA\Settings\WellKnown\SecurityTxtHandler;
 use OCP\AppFramework\App;
 use OCP\AppFramework\Bootstrap\IBootContext;
 use OCP\AppFramework\Bootstrap\IBootstrap;
@@ -79,6 +80,9 @@ class Application extends App implements IBootstrap {
 		$context->registerEventListener(UserAddedEvent::class, UserAddedToGroupActivityListener::class);
 		$context->registerEventListener(UserRemovedEvent::class, UserRemovedFromGroupActivityListener::class);
 
+		// Register well-known handlers
+		$context->registerWellKnownHandler(SecurityTxtHandler::class);
+
 		/**
 		 * Core class wrappers
 		 */

apps/settings/lib/WellKnown/SecurityTxtHandler.php

@@ -0,0 +1,48 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright 2021 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @author 2021 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+namespace OCA\Settings\WellKnown;
+
+use OCP\AppFramework\Http\TextPlainResponse;
+use OCP\Http\WellKnown\GenericResponse;
+use OCP\Http\WellKnown\IHandler;
+use OCP\Http\WellKnown\IRequestContext;
+use OCP\Http\WellKnown\IResponse;
+
+class SecurityTxtHandler implements IHandler {
+	public function handle(string $service, IRequestContext $context, ?IResponse $previousResponse): ?IResponse {
+		if ($service !== 'security.txt') {
+			return $previousResponse;
+		}
+
+		$response = "Contact: https://hackerone.com/nextcloud
+Expires: 2021-12-31T23:00:00.000Z
+Acknowledgments: https://hackerone.com/nextcloud/thanks
+Acknowledgments: https://github.com/nextcloud/security-advisories/security/advisories
+Policy: https://hackerone.com/nextcloud";
+
+		return new GenericResponse(new TextPlainResponse($response, 200));
+	}
+}

lib/composer/composer/ClassLoader.php

@@ -338,7 +338,7 @@ class ClassLoader
      * Loads the given class or interface.
      *
      * @param  string    $class The name of the class
-     * @return bool|null True if loaded, null otherwise
+     * @return true|null True if loaded, null otherwise
      */
     public function loadClass($class)
     {
@@ -347,6 +347,8 @@ class ClassLoader
 
             return true;
         }
+
+        return null;
     }
 
     /**

lib/public/AppFramework/Http/TextPlainResponse.php

@@ -0,0 +1,62 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright 2021 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @author 2021 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+namespace OCP\AppFramework\Http;
+
+use OCP\AppFramework\Http;
+
+/**
+ * A renderer for text responses
+ * @since 22.0.0
+ */
+class TextPlainResponse extends Response {
+	/** @var string */
+	private $text = '';
+
+	/**
+	 * constructor of TextPlainResponse
+	 * @param string $text The text body
+	 * @param int $statusCode the Http status code, defaults to 200
+	 * @since 22.0.0
+	 */
+	public function __construct(string $text = '', int $statusCode = Http::STATUS_OK) {
+		parent::__construct();
+
+		$this->text = $text;
+		$this->setStatus($statusCode);
+		$this->addHeader('Content-Type', 'text/plain');
+	}
+
+
+	/**
+	 * Returns the text
+	 * @return string
+	 * @since 22.0.0
+	 * @throws \Exception If data could not get encoded
+	 */
+	public function render() : string {
+		return $this->text;
+	}
+}