diff options
author | Lukas Reschke <lukas@statuscode.ch> | 2017-07-20 22:48:13 +0200 |
---|---|---|
committer | Lukas Reschke <lukas@statuscode.ch> | 2017-07-20 22:48:13 +0200 |
commit | 3d2600b0399af0dd4521469725f5e4bdf348bd2e (patch) | |
tree | b231906605d82e7fe537a81a9e10299ca9beb37f /apps | |
parent | 4826fd701dda218792b5072977b24da7d42a94fa (diff) | |
download | nextcloud-server-3d2600b0399af0dd4521469725f5e4bdf348bd2e.tar.gz nextcloud-server-3d2600b0399af0dd4521469725f5e4bdf348bd2e.zip |
Add Phan plugin to check for SQL injections
This adds a phan plugin which checks for SQL injections on code using our QueryBuilder, while it isn't perfect it should already catch most potential issues.
As always, static analysis will sometimes have false positives and this is also here the case. So in some cases the analyzer just doesn't know if something is potential user input or not, thus I had to add some `@suppress SqlInjectionChecker` in front of those potential injections.
The Phan plugin hasn't the most awesome code but it works and I also added a file with test cases.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Diffstat (limited to 'apps')
-rw-r--r-- | apps/dav/lib/CalDAV/CalDavBackend.php | 8 | ||||
-rw-r--r-- | apps/dav/lib/CardDAV/CardDavBackend.php | 3 | ||||
-rw-r--r-- | apps/files_external/lib/Service/DBConfigService.php | 4 |
3 files changed, 15 insertions, 0 deletions
diff --git a/apps/dav/lib/CalDAV/CalDavBackend.php b/apps/dav/lib/CalDAV/CalDavBackend.php index 0193d3c2aae..1cf27a80025 100644 --- a/apps/dav/lib/CalDAV/CalDavBackend.php +++ b/apps/dav/lib/CalDAV/CalDavBackend.php @@ -635,6 +635,7 @@ class CalDavBackend extends AbstractBackend implements SyncSupport, Subscription * @param string $calendarUri * @param array $properties * @return int + * @suppress SqlInjectionChecker */ function createCalendar($principalUri, $calendarUri, array $properties) { $values = [ @@ -695,6 +696,7 @@ class CalDavBackend extends AbstractBackend implements SyncSupport, Subscription * * Read the PropPatch documentation for more info and examples. * + * @param mixed $calendarId * @param PropPatch $propPatch * @return void */ @@ -702,6 +704,9 @@ class CalDavBackend extends AbstractBackend implements SyncSupport, Subscription $supportedProperties = array_keys($this->propertyMap); $supportedProperties[] = '{' . Plugin::NS_CALDAV . '}schedule-calendar-transp'; + /** + * @suppress SqlInjectionChecker + */ $propPatch->handle($supportedProperties, function($mutations) use ($calendarId) { $newValues = []; foreach ($mutations as $propertyName => $propertyValue) { @@ -1618,6 +1623,9 @@ class CalDavBackend extends AbstractBackend implements SyncSupport, Subscription $supportedProperties = array_keys($this->subscriptionPropertyMap); $supportedProperties[] = '{http://calendarserver.org/ns/}source'; + /** + * @suppress SqlInjectionChecker + */ $propPatch->handle($supportedProperties, function($mutations) use ($subscriptionId) { $newValues = []; diff --git a/apps/dav/lib/CardDAV/CardDavBackend.php b/apps/dav/lib/CardDAV/CardDavBackend.php index 5742f97b701..45a695c1869 100644 --- a/apps/dav/lib/CardDAV/CardDavBackend.php +++ b/apps/dav/lib/CardDAV/CardDavBackend.php @@ -348,6 +348,9 @@ class CardDavBackend implements BackendInterface, SyncSupport { '{' . Plugin::NS_CARDDAV . '}addressbook-description', ]; + /** + * @suppress SqlInjectionChecker + */ $propPatch->handle($supportedProperties, function($mutations) use ($addressBookId) { $updates = []; diff --git a/apps/files_external/lib/Service/DBConfigService.php b/apps/files_external/lib/Service/DBConfigService.php index 21818eec601..71a77cd4347 100644 --- a/apps/files_external/lib/Service/DBConfigService.php +++ b/apps/files_external/lib/Service/DBConfigService.php @@ -116,6 +116,7 @@ class DBConfigService { * Get admin defined mounts * * @return array + * @suppress SqlInjectionChecker */ public function getAdminMounts() { $builder = $this->connection->getQueryBuilder(); @@ -160,6 +161,7 @@ class DBConfigService { * @param int $type any of the self::APPLICABLE_TYPE_ constants * @param string|null $value user_id, group_id or null for global mounts * @return array + * @suppress SqlInjectionChecker */ public function getAdminMountsFor($type, $value) { $builder = $this->connection->getQueryBuilder(); @@ -175,6 +177,7 @@ class DBConfigService { * @param int $type any of the self::APPLICABLE_TYPE_ constants * @param string[] $values user_ids or group_ids * @return array + * @suppress SqlInjectionChecker */ public function getAdminMountsForMultiple($type, array $values) { $builder = $this->connection->getQueryBuilder(); @@ -198,6 +201,7 @@ class DBConfigService { * @param int $type any of the self::APPLICABLE_TYPE_ constants * @param string|null $value user_id, group_id or null for global mounts * @return array + * @suppress SqlInjectionChecker */ public function getUserMountsFor($type, $value) { $builder = $this->connection->getQueryBuilder(); |