diff options
author | Sebastian Krupinski <165827823+SebastianKrupinski@users.noreply.github.com> | 2024-07-08 09:10:09 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-07-08 09:10:09 -0400 |
commit | fe90956aa45df0638169081e0854d2ec035f1c95 (patch) | |
tree | e0fcaeabf2592ac000832c88e3d5f35ce91211f4 /apps/dav | |
parent | 59d6b370ee743ba5a7c0b4797977c4c4cd008ee7 (diff) | |
parent | 247fbb55384061c10d53f2ea173a1f03be4a5f68 (diff) | |
download | nextcloud-server-fe90956aa45df0638169081e0854d2ec035f1c95.tar.gz nextcloud-server-fe90956aa45df0638169081e0854d2ec035f1c95.zip |
Merge pull request #46315 from nextcloud/fix/limit-vevent-size
fix(caldav): limit vevent size
Diffstat (limited to 'apps/dav')
-rw-r--r-- | apps/dav/appinfo/v1/caldav.php | 2 | ||||
-rw-r--r-- | apps/dav/composer/composer/autoload_classmap.php | 1 | ||||
-rw-r--r-- | apps/dav/composer/composer/autoload_static.php | 1 | ||||
-rw-r--r-- | apps/dav/lib/CalDAV/Validation/CalDavValidatePlugin.php | 40 | ||||
-rw-r--r-- | apps/dav/lib/Server.php | 2 | ||||
-rw-r--r-- | apps/dav/tests/unit/CalDAV/Validation/CalDavValidatePluginTest.php | 73 |
6 files changed, 119 insertions, 0 deletions
diff --git a/apps/dav/appinfo/v1/caldav.php b/apps/dav/appinfo/v1/caldav.php index faa277285f6..ecfc91cfa8b 100644 --- a/apps/dav/appinfo/v1/caldav.php +++ b/apps/dav/appinfo/v1/caldav.php @@ -10,6 +10,7 @@ use OC\KnownUser\KnownUserService; use OCA\DAV\CalDAV\CalDavBackend; use OCA\DAV\CalDAV\CalendarRoot; use OCA\DAV\CalDAV\Security\RateLimitingPlugin; +use OCA\DAV\CalDAV\Validation\CalDavValidatePlugin; use OCA\DAV\Connector\LegacyDAVACL; use OCA\DAV\Connector\Sabre\Auth; use OCA\DAV\Connector\Sabre\ExceptionLoggerPlugin; @@ -98,6 +99,7 @@ if ($sendInvitations) { } $server->addPlugin(new ExceptionLoggerPlugin('caldav', $logger)); $server->addPlugin(\OCP\Server::get(RateLimitingPlugin::class)); +$server->addPlugin(\OCP\Server::get(CalDavValidatePlugin::class)); // And off we go! $server->exec(); diff --git a/apps/dav/composer/composer/autoload_classmap.php b/apps/dav/composer/composer/autoload_classmap.php index 74a3f63f1f2..ff1fb0637ad 100644 --- a/apps/dav/composer/composer/autoload_classmap.php +++ b/apps/dav/composer/composer/autoload_classmap.php @@ -112,6 +112,7 @@ return array( 'OCA\\DAV\\CalDAV\\Trashbin\\Plugin' => $baseDir . '/../lib/CalDAV/Trashbin/Plugin.php', 'OCA\\DAV\\CalDAV\\Trashbin\\RestoreTarget' => $baseDir . '/../lib/CalDAV/Trashbin/RestoreTarget.php', 'OCA\\DAV\\CalDAV\\Trashbin\\TrashbinHome' => $baseDir . '/../lib/CalDAV/Trashbin/TrashbinHome.php', + 'OCA\\DAV\\CalDAV\\Validation\\CalDavValidatePlugin' => $baseDir . '/../lib/CalDAV/Validation/CalDavValidatePlugin.php', 'OCA\\DAV\\CalDAV\\WebcalCaching\\Plugin' => $baseDir . '/../lib/CalDAV/WebcalCaching/Plugin.php', 'OCA\\DAV\\CalDAV\\WebcalCaching\\RefreshWebcalService' => $baseDir . '/../lib/CalDAV/WebcalCaching/RefreshWebcalService.php', 'OCA\\DAV\\Capabilities' => $baseDir . '/../lib/Capabilities.php', diff --git a/apps/dav/composer/composer/autoload_static.php b/apps/dav/composer/composer/autoload_static.php index 723bd8b2787..081915e95f2 100644 --- a/apps/dav/composer/composer/autoload_static.php +++ b/apps/dav/composer/composer/autoload_static.php @@ -127,6 +127,7 @@ class ComposerStaticInitDAV 'OCA\\DAV\\CalDAV\\Trashbin\\Plugin' => __DIR__ . '/..' . '/../lib/CalDAV/Trashbin/Plugin.php', 'OCA\\DAV\\CalDAV\\Trashbin\\RestoreTarget' => __DIR__ . '/..' . '/../lib/CalDAV/Trashbin/RestoreTarget.php', 'OCA\\DAV\\CalDAV\\Trashbin\\TrashbinHome' => __DIR__ . '/..' . '/../lib/CalDAV/Trashbin/TrashbinHome.php', + 'OCA\\DAV\\CalDAV\\Validation\\CalDavValidatePlugin' => __DIR__ . '/..' . '/../lib/CalDAV/Validation/CalDavValidatePlugin.php', 'OCA\\DAV\\CalDAV\\WebcalCaching\\Plugin' => __DIR__ . '/..' . '/../lib/CalDAV/WebcalCaching/Plugin.php', 'OCA\\DAV\\CalDAV\\WebcalCaching\\RefreshWebcalService' => __DIR__ . '/..' . '/../lib/CalDAV/WebcalCaching/RefreshWebcalService.php', 'OCA\\DAV\\Capabilities' => __DIR__ . '/..' . '/../lib/Capabilities.php', diff --git a/apps/dav/lib/CalDAV/Validation/CalDavValidatePlugin.php b/apps/dav/lib/CalDAV/Validation/CalDavValidatePlugin.php new file mode 100644 index 00000000000..680e5a1f02a --- /dev/null +++ b/apps/dav/lib/CalDAV/Validation/CalDavValidatePlugin.php @@ -0,0 +1,40 @@ +<?php + +declare(strict_types=1); + +/* + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\DAV\CalDAV\Validation; + +use OCA\DAV\AppInfo\Application; +use OCP\IAppConfig; +use Sabre\DAV\Exception\Forbidden; +use Sabre\DAV\Server; +use Sabre\DAV\ServerPlugin; +use Sabre\HTTP\RequestInterface; +use Sabre\HTTP\ResponseInterface; + +class CalDavValidatePlugin extends ServerPlugin { + + public function __construct( + private IAppConfig $config + ) { + } + + public function initialize(Server $server): void { + $server->on('beforeMethod:PUT', [$this, 'beforePut']); + } + + public function beforePut(RequestInterface $request, ResponseInterface $response): bool { + // evaluate if card size exceeds defined limit + $eventSizeLimit = $this->config->getValueInt(Application::APP_ID, 'event_size_limit', 10485760); + if ((int) $request->getRawServerValue('CONTENT_LENGTH') > $eventSizeLimit) { + throw new Forbidden("VEvent or VTodo object exceeds $eventSizeLimit bytes"); + } + // all tests passed return true + return true; + } + +} diff --git a/apps/dav/lib/Server.php b/apps/dav/lib/Server.php index 838c6002dca..b2ffef27a9d 100644 --- a/apps/dav/lib/Server.php +++ b/apps/dav/lib/Server.php @@ -11,6 +11,7 @@ use OCA\DAV\BulkUpload\BulkUploadPlugin; use OCA\DAV\CalDAV\BirthdayService; use OCA\DAV\CalDAV\Schedule\IMipPlugin; use OCA\DAV\CalDAV\Security\RateLimitingPlugin; +use OCA\DAV\CalDAV\Validation\CalDavValidatePlugin; use OCA\DAV\CardDAV\HasPhotoPlugin; use OCA\DAV\CardDAV\ImageExportPlugin; use OCA\DAV\CardDAV\MultiGetExportPlugin; @@ -167,6 +168,7 @@ class Server { )); $this->server->addPlugin(\OCP\Server::get(RateLimitingPlugin::class)); + $this->server->addPlugin(\OCP\Server::get(CalDavValidatePlugin::class)); } // addressbook plugins diff --git a/apps/dav/tests/unit/CalDAV/Validation/CalDavValidatePluginTest.php b/apps/dav/tests/unit/CalDAV/Validation/CalDavValidatePluginTest.php new file mode 100644 index 00000000000..0329279af09 --- /dev/null +++ b/apps/dav/tests/unit/CalDAV/Validation/CalDavValidatePluginTest.php @@ -0,0 +1,73 @@ +<?php + +declare(strict_types=1); + +/* + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\DAV\Tests\unit\CalDAV\Validation; + +use OCA\DAV\CalDAV\Validation\CalDavValidatePlugin; +use OCP\IAppConfig; +use PHPUnit\Framework\MockObject\MockObject; +use Sabre\DAV\Exception\Forbidden; +use Sabre\HTTP\RequestInterface; +use Sabre\HTTP\ResponseInterface; +use Test\TestCase; + +class CalDavValidatePluginTest extends TestCase { + + private CalDavValidatePlugin $plugin; + private IAppConfig|MockObject $config; + private RequestInterface|MockObject $request; + private ResponseInterface|MockObject $response; + + protected function setUp(): void { + parent::setUp(); + // construct mock objects + $this->config = $this->createMock(IAppConfig::class); + $this->request = $this->createMock(RequestInterface::class); + $this->response = $this->createMock(ResponseInterface::class); + $this->plugin = new CalDavValidatePlugin( + $this->config, + ); + } + + public function testPutSizeLessThenLimit(): void { + + // construct method responses + $this->config + ->method('getValueInt') + ->with('dav', 'event_size_limit', 10485760) + ->willReturn(10485760); + $this->request + ->method('getRawServerValue') + ->with('CONTENT_LENGTH') + ->willReturn('1024'); + // test condition + $this->assertTrue( + $this->plugin->beforePut($this->request, $this->response) + ); + + } + + public function testPutSizeMoreThenLimit(): void { + + // construct method responses + $this->config + ->method('getValueInt') + ->with('dav', 'event_size_limit', 10485760) + ->willReturn(10485760); + $this->request + ->method('getRawServerValue') + ->with('CONTENT_LENGTH') + ->willReturn('16242880'); + $this->expectException(Forbidden::class); + // test condition + $this->plugin->beforePut($this->request, $this->response); + + } + +} |