Return whether the file is readable or not in the DAV permissions
Until now it was safe to assume that every file was readable by its
owner, so there was no need to return whether the file was readable or
not. However, with the introduction of end to end encryption that is no
longer the case, and it is now necessary to explicitly provide that
information.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
This adds a phan plugin which checks for SQL injections on code using our QueryBuilder, while it isn't perfect it should already catch most potential issues.
As always, static analysis will sometimes have false positives and this is also here the case. So in some cases the analyzer just doesn't know if something is potential user input or not, thus I had to add some `@suppress SqlInjectionChecker` in front of those potential injections.
The Phan plugin hasn't the most awesome code but it works and I also added a file with test cases.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Overrides \Sabre\DAV\Auth\Backend\AbstractBearer::challenge to prevent sending a second WWW-Authenticate header which is standard-compliant but most DAV clients simply fail hard.
Fixes https://github.com/nextcloud/server/issues/5088
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
As the script modifies the Git repository a safety parameter was added
to prevent running it by mistake and messing with the local copy of the
repository.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Run acceptance tests using the local helper instead of the Docker one
When run through "run.sh" the acceptance tests were executed in the same
system in which the script was called and they started and stopped the
Nextcloud server using Docker containers that provided real web servers.
For consistency now they use the same approach used when run through
Drone: the acceptance tests are run in a Docker container and they start
and stop the Nextcloud server directly using the PHP built-in web server.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Use PHP built-in web server instead of Apache in Drone
Instead of running an additional Drone service with the Nextcloud server
now the Nextcloud server is run in the same Drone step as the acceptance
tests themselves using the PHP built-in web server.
Thanks to this, the Nextcloud server control is no longer needed, as the
acceptance tests can now directly reset, start and stop the Nextcloud
server. Also, the "nextcloudci/php7.0:php7.0-7" image provides
everything needed to run and manage the Nextcloud server (including the
Git command used to restore the directory to a saved state), so the
custom image is no longer needed either.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Replace downloaded Selenium server with Docker container
Instead of downloading the Selenium server and requiring a specific
Firefox version to be installed in the system now the Selenium server is
run using one of the official Selenium Docker images, which provides
both the Selenium server and the appropriate version of Firefox.
Moreover, as it is run inside the Docker container, the web browser is
now run in headless mode; however, if needed, it can still be viewed
through VNC.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Each acceptance test feature is run in its own Drone step. The container
of the step runs the acceptance tests themselves, but they require two
additional Drone services. One service provides the Selenium server that
performs the web browser actions specified by the tests, and the other
service provides the Nextcloud server that the tests will be run
against (due to security concerns the acceptance tests themselves can
not create Docker containers for the Nextcloud server as done when
running them in a local system, as if Drone containers had access to
Docker a malicious pull request could be used to take over the Drone
server).
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Although the timeouts specified in the acceptance tests are enough in
most cases they may not be when running them in a slow system or
environment. For those situations a general multiplier for find
timeouts is added. It can be set in the "behat.yml" configuration file
to increase the timeout used in every find call (except those that used
a timeout of 0, as in those cases the element had to be already present
when finding it and whether the system is slow or not does not change
that).
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>