This adds a phan plugin which checks for SQL injections on code using our QueryBuilder, while it isn't perfect it should already catch most potential issues.
As always, static analysis will sometimes have false positives and this is also here the case. So in some cases the analyzer just doesn't know if something is potential user input or not, thus I had to add some `@suppress SqlInjectionChecker` in front of those potential injections.
The Phan plugin hasn't the most awesome code but it works and I also added a file with test cases.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Overrides \Sabre\DAV\Auth\Backend\AbstractBearer::challenge to prevent sending a second WWW-Authenticate header which is standard-compliant but most DAV clients simply fail hard.
Fixes https://github.com/nextcloud/server/issues/5088
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
As the script modifies the Git repository a safety parameter was added
to prevent running it by mistake and messing with the local copy of the
repository.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Run acceptance tests using the local helper instead of the Docker one
When run through "run.sh" the acceptance tests were executed in the same
system in which the script was called and they started and stopped the
Nextcloud server using Docker containers that provided real web servers.
For consistency now they use the same approach used when run through
Drone: the acceptance tests are run in a Docker container and they start
and stop the Nextcloud server directly using the PHP built-in web server.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Use PHP built-in web server instead of Apache in Drone
Instead of running an additional Drone service with the Nextcloud server
now the Nextcloud server is run in the same Drone step as the acceptance
tests themselves using the PHP built-in web server.
Thanks to this, the Nextcloud server control is no longer needed, as the
acceptance tests can now directly reset, start and stop the Nextcloud
server. Also, the "nextcloudci/php7.0:php7.0-7" image provides
everything needed to run and manage the Nextcloud server (including the
Git command used to restore the directory to a saved state), so the
custom image is no longer needed either.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Replace downloaded Selenium server with Docker container
Instead of downloading the Selenium server and requiring a specific
Firefox version to be installed in the system now the Selenium server is
run using one of the official Selenium Docker images, which provides
both the Selenium server and the appropriate version of Firefox.
Moreover, as it is run inside the Docker container, the web browser is
now run in headless mode; however, if needed, it can still be viewed
through VNC.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Each acceptance test feature is run in its own Drone step. The container
of the step runs the acceptance tests themselves, but they require two
additional Drone services. One service provides the Selenium server that
performs the web browser actions specified by the tests, and the other
service provides the Nextcloud server that the tests will be run
against (due to security concerns the acceptance tests themselves can
not create Docker containers for the Nextcloud server as done when
running them in a local system, as if Drone containers had access to
Docker a malicious pull request could be used to take over the Drone
server).
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Although the timeouts specified in the acceptance tests are enough in
most cases they may not be when running them in a slow system or
environment. For those situations a general multiplier for find
timeouts is added. It can be set in the "behat.yml" configuration file
to increase the timeout used in every find call (except those that used
a timeout of 0, as in those cases the element had to be already present
when finding it and whether the system is slow or not does not change
that).
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Add NextcloudTestServerHelper for Nextcloud servers in Drone services
Due to security concerns, the public Nextcloud server repository is not
set as "trusted" in Drone (otherwise a malicious pull request could be
used to take over the server), so it is not possible to create Docker
containers from the containers started by Drone. Therefore, the
Nextcloud server must be started as a service by Drone itself.
The NextcloudTestServerDroneHelper is added to manage from the
acceptance tests a Nextcloud test server running in a Drone service; to
be able to control the remote Nextcloud server the Drone service must
provide the Nextcloud server control server.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Extract installation and configuration of the Nextcloud server
The installation and configuration of the Nextcloud server as expected
by the acceptance tests is extracted to its own script so it can be used
from any element that launches the acceptance tests.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Use NextcloudTestServerHelper in NextcloudTestServerContext
Instead of depending on a Nextcloud test server created through Docker,
NextcloudTestServerContext now uses the NextcloudTestServerHelper
interface. This makes possible to provide other implementations of the
interface for those cases in which using a Docker container is not a
valid approach, like in the continuous integration system of the public
repository due to security concerns.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
The NextcloudTestServerHelper interface provides the needed methods to
manage the Nextcloud server used in acceptance tests.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
For consistency with the rest of private methods in the class,
"isContainerRegistered" is moved below the only public method in which
it is used ("cleanUp").
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Roeland Jago Douma
Robin Appelman
Joas Schilling
Lukas Reschke
Morris Jobke
Vincent Petry
Sergio Bertolin
Daniel Calviño Sánchez