aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCôme Chilliet <come.chilliet@nextcloud.com>2025-02-17 14:28:30 +0100
committerCôme Chilliet <come.chilliet@nextcloud.com>2025-02-17 15:26:22 +0100
commit7c907223d2c61df3a3ee3ec25cf4d48f058c5751 (patch)
tree27af277d9ba1dc6e868fc0472c333eabb482fe7a
parentfa108d5b5414d8fdfa1e5eecd9a7d871d58f4b28 (diff)
downloadnextcloud-server-7c907223d2c61df3a3ee3ec25cf4d48f058c5751.tar.gz
nextcloud-server-7c907223d2c61df3a3ee3ec25cf4d48f058c5751.zip
fix: Fix psalm taint false-positive by escaping trusted input
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
Diffstat
-rw-r--r--build/psalm-baseline-security.xml8
-rw-r--r--lib/private/Setup/MySQL.php22
2 files changed, 11 insertions, 19 deletions
diff --git a/build/psalm-baseline-security.xml b/build/psalm-baseline-security.xml
index c7b083b22c5..d31034d538d 100644
--- a/build/psalm-baseline-security.xml
+++ b/build/psalm-baseline-security.xml
@@ -49,12 +49,4 @@
<code><![CDATA[$column]]></code>
</TaintedSql>
</file>
- <file src="lib/public/IDBConnection.php">
- <TaintedSql>
- <code><![CDATA[$sql]]></code>
- <code><![CDATA[$sql]]></code>
- <code><![CDATA[$sql]]></code>
- <code><![CDATA[$sql]]></code>
- </TaintedSql>
- </file>
</files>
diff --git a/lib/private/Setup/MySQL.php b/lib/private/Setup/MySQL.php
index 2708ada31c1..6dd9855d851 100644
--- a/lib/private/Setup/MySQL.php
+++ b/lib/private/Setup/MySQL.php
@@ -59,7 +59,7 @@ class MySQL extends AbstractDatabase {
/**
* @param \OC\DB\Connection $connection
*/
- private function createDatabase($connection) {
+ private function createDatabase($connection): void {
try {
$name = $this->dbName;
$user = $this->dbUser;
@@ -91,7 +91,7 @@ class MySQL extends AbstractDatabase {
* @param IDBConnection $connection
* @throws \OC\DatabaseSetupException
*/
- private function createDBUser($connection) {
+ private function createDBUser($connection): void {
try {
$name = $this->dbUser;
$password = $this->dbPassword;
@@ -99,15 +99,15 @@ class MySQL extends AbstractDatabase {
// the anonymous user would take precedence when there is one.
if ($connection->getDatabasePlatform() instanceof Mysql80Platform) {
- $query = "CREATE USER '$name'@'localhost' IDENTIFIED WITH mysql_native_password BY '$password'";
- $connection->executeUpdate($query);
- $query = "CREATE USER '$name'@'%' IDENTIFIED WITH mysql_native_password BY '$password'";
- $connection->executeUpdate($query);
+ $query = "CREATE USER ?@'localhost' IDENTIFIED WITH mysql_native_password BY ?";
+ $connection->executeUpdate($query, [$name,$password]);
+ $query = "CREATE USER ?@'%' IDENTIFIED WITH mysql_native_password BY ?";
+ $connection->executeUpdate($query, [$name,$password]);
} else {
- $query = "CREATE USER '$name'@'localhost' IDENTIFIED BY '$password'";
- $connection->executeUpdate($query);
- $query = "CREATE USER '$name'@'%' IDENTIFIED BY '$password'";
- $connection->executeUpdate($query);
+ $query = "CREATE USER ?@'localhost' IDENTIFIED BY ?";
+ $connection->executeUpdate($query, [$name,$password]);
+ $query = "CREATE USER ?@'%' IDENTIFIED BY ?";
+ $connection->executeUpdate($query, [$name,$password]);
}
} catch (\Exception $ex) {
$this->logger->error('Database user creation failed.', [
@@ -119,7 +119,7 @@ class MySQL extends AbstractDatabase {
}
/**
- * @param $username
+ * @param string $username
* @param IDBConnection $connection
*/
private function createSpecificUser($username, $connection): void {
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-01 19:49:15 +0000