feat(settings): Add setup check for too much cachingfeat/settings/too-much-caching-setup-check

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
author: Christoph Wurst <christoph@winzerhof-wurst.at> 2023-10-18 12:20:21 +0200
committer: Christoph Wurst <christoph@winzerhof-wurst.at> 2023-10-18 12:20:21 +0200
commit: a0329557f6ea2d7edb04a4ad768302e4e57b5c77 (patch)
tree: e1406409fb281ec4766f0de48a8a9320d0d19aa2
parent: 80893480c1e95796ed5154e0cad166aa76e1bc24 (diff)
download: nextcloud-server-feat/settings/too-much-caching-setup-check.tar.gz
nextcloud-server-feat/settings/too-much-caching-setup-check.zip
4 files changed, 43 insertions, 2 deletions
diff --git a/apps/settings/appinfo/routes.php b/apps/settings/appinfo/routes.php
index e238510b1a7..0c5c1978359 100644
--- a/apps/settings/appinfo/routes.php
+++ b/apps/settings/appinfo/routes.php
@@ -66,6 +66,7 @@ return [
 		['name' => 'LogSettings#getEntries', 'url' => '/settings/admin/log/entries', 'verb' => 'GET' , 'root' => ''],
 		['name' => 'LogSettings#download', 'url' => '/settings/admin/log/download', 'verb' => 'GET' , 'root' => ''],
 		['name' => 'CheckSetup#check', 'url' => '/settings/ajax/checksetup', 'verb' => 'GET' , 'root' => ''],
+		['name' => 'CheckSetup#checkCookies', 'url' => '/settings/ajax/checksetupcookies.png', 'verb' => 'GET' , 'root' => ''],
 		['name' => 'CheckSetup#getFailedIntegrityCheckFiles', 'url' => '/settings/integrity/failed', 'verb' => 'GET' , 'root' => ''],
 		['name' => 'CheckSetup#rescanFailedIntegrityCheck', 'url' => '/settings/integrity/rescan', 'verb' => 'GET' , 'root' => ''],
 		['name' => 'PersonalSettings#index', 'url' => '/settings/user/{section}', 'verb' => 'GET', 'defaults' => ['section' => 'personal-info'] , 'root' => ''],
diff --git a/apps/settings/lib/Controller/CheckSetupController.php b/apps/settings/lib/Controller/CheckSetupController.php
index 5dcf6cda29c..c2e397c502e 100644
--- a/apps/settings/lib/Controller/CheckSetupController.php
+++ b/apps/settings/lib/Controller/CheckSetupController.php
@@ -74,6 +74,7 @@ use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http\Attribute\IgnoreOpenAPI;
 use OCP\AppFramework\Http\DataDisplayResponse;
 use OCP\AppFramework\Http\DataResponse;
+use OCP\AppFramework\Http\JSONResponse;
 use OCP\AppFramework\Http\RedirectResponse;
 use OCP\DB\Events\AddMissingColumnsEvent;
 use OCP\DB\Events\AddMissingIndicesEvent;
@@ -94,6 +95,8 @@ use OCP\Notification\IManager;
 use OCP\Security\Bruteforce\IThrottler;
 use OCP\Security\ISecureRandom;
 use Psr\Log\LoggerInterface;
+use function setcookie;
+use function time;
 
 #[IgnoreOpenAPI]
 class CheckSetupController extends Controller {
@@ -972,4 +975,19 @@ Raw output
 			]
 		);
 	}
+
+	/**
+	 * @AuthorizedAdminSetting(settings=OCA\Settings\Settings\Admin\Overview)
+	 */
+	public function checkCookies(): JSONResponse {
+		$rand = $this->secureRandom->generate(32);
+		setcookie(
+			'nc_setup_check',
+			$rand,
+			time() + 60
+		);
+		return new JSONResponse([
+			'rand' => $rand,
+		]);
+	}
 }
diff --git a/apps/settings/src/admin.js b/apps/settings/src/admin.js
index c8d04049ded..42df521d6c6 100644
--- a/apps/settings/src/admin.js
+++ b/apps/settings/src/admin.js
@@ -243,8 +243,9 @@ window.addEventListener('DOMContentLoaded', () => {
 			OC.SetupChecks.checkGeneric(),
 			OC.SetupChecks.checkWOFF2Loading(OC.filePath('core', '', 'fonts/NotoSans-Regular-latin.woff2'), OC.theme.docPlaceholderUrl),
 			OC.SetupChecks.checkDataProtected(),
-		).then((check1, check2, check3, check4, check5, check6, check7, check8, check9, check10, check11) => {
-			const messages = [].concat(check1, check2, check3, check4, check5, check6, check7, check8, check9, check10, check11)
+			OC.SetupChecks.checkCaching(),
+		).then((check1, check2, check3, check4, check5, check6, check7, check8, check9, check10, check11, check12) => {
+			const messages = [].concat(check1, check2, check3, check4, check5, check6, check7, check8, check9, check10, check11, check12)
 			const $el = $('#postsetupchecks')
 			$('#security-warning-state-loading').addClass('hidden')
 
diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js
index eb5a20c5966..2435e1ba5a7 100644
--- a/core/js/setupchecks.js
+++ b/core/js/setupchecks.js
@@ -47,6 +47,27 @@
 			return deferred.promise();
 		},
 
+		checkCaching: function() {
+			return Promise.all([
+				$.get(OC.generateUrl('settings/ajax/checksetupcookies.png')),
+				$.get(OC.generateUrl('settings/ajax/checksetupcookies.png')),
+			]).then(function(responses) {
+				if (responses[0].rand === responses[1].rand) {
+					console.error('Two unique requests returned the same response', {
+						rand1: responses[0].rand,
+						rand2: responses[1].rand,
+					});
+					return [
+						{
+							msg: t('core', 'Your web server is caching too aggressively. This could lead to leaked cookies and sessions.'),
+							type: OC.SetupChecks.MESSAGE_TYPE_ERROR
+						}
+					];
+				}
+				return [];
+			})
+		},
+
 		/**
 		 * Check whether the .well-known URLs works.
 		 *
author	Christoph Wurst <christoph@winzerhof-wurst.at>	2023-10-18 12:20:21 +0200
committer	Christoph Wurst <christoph@winzerhof-wurst.at>	2023-10-18 12:20:21 +0200
commit	a0329557f6ea2d7edb04a4ad768302e4e57b5c77 (patch)
tree	e1406409fb281ec4766f0de48a8a9320d0d19aa2
parent	80893480c1e95796ed5154e0cad166aa76e1bc24 (diff)
download	nextcloud-server-feat/settings/too-much-caching-setup-check.tar.gz nextcloud-server-feat/settings/too-much-caching-setup-check.zip