summaryrefslogtreecommitdiffstats
path: root/lib/installer.php
diff options
context:
space:
mode:
authorFrank Karlitschek <karlitschek@kde.org>2012-04-21 22:47:56 +0200
committerFrank Karlitschek <karlitschek@kde.org>2012-04-21 22:47:56 +0200
commita86d89f5ca8d71febd764b20e939010901be4974 (patch)
tree3ce00a6814b425d0a8fc09fad80ad7062cb44267 /lib/installer.php
parent6bfe2289be05e9f54272a86a0f957ec41ef32e28 (diff)
downloadnextcloud-server-a86d89f5ca8d71febd764b20e939010901be4974.tar.gz
nextcloud-server-a86d89f5ca8d71febd764b20e939010901be4974.zip
Add a static code checker for evil patterns in apps.
Disabled by default for now. We will check for private api calls here later once the public api is in place
Diffstat (limited to 'lib/installer.php')
-rw-r--r--lib/installer.php59
1 files changed, 56 insertions, 3 deletions
diff --git a/lib/installer.php b/lib/installer.php
index 6edf4ce1b74..d5592273815 100644
--- a/lib/installer.php
+++ b/lib/installer.php
@@ -47,6 +47,7 @@ class OC_Installer{
* This function works as follows
* -# fetching the file
* -# unzipping it
+ * -# check the code
* -# installing the database at appinfo/database.xml
* -# including appinfo/install.php
* -# setting the installed version
@@ -91,6 +92,7 @@ class OC_Installer{
//extract the archive in a temporary folder
$extractDir=OC_Helper::tmpFolder();
+ OC_Helper::rmdirr($extractDir);
mkdir($extractDir);
if($archive=OC_Archive::open($path)){
$archive->extract($extractDir);
@@ -102,7 +104,7 @@ class OC_Installer{
}
return false;
}
-
+
//load the info.xml file of the app
if(!is_file($extractDir.'/appinfo/info.xml')){
//try to find it in a subdir
@@ -125,6 +127,12 @@ class OC_Installer{
}
$info=OC_App::getAppInfo($extractDir.'/appinfo/info.xml',true);
$basedir=OC::$APPSROOT.'/apps/'.$info['id'];
+
+ // check the code for not allowed calls
+ if(!OC_Installer::checkCode($info['id'],$extractDir)){
+ OC_Helper::rmdirr($extractDir);
+ return false;
+ }
//check if an app with the same id is already installed
if(self::isInstalled( $info['id'] )){
@@ -151,8 +159,8 @@ class OC_Installer{
}
//copy the app to the correct place
- if(!mkdir($basedir)){
- OC_Log::write('core','Can\'t create app folder ('.$basedir.')',OC_Log::ERROR);
+ if(@!mkdir($basedir)){
+ OC_Log::write('core','Can\'t create app folder. Please fix permissions. ('.$basedir.')',OC_Log::ERROR);
OC_Helper::rmdirr($extractDir);
if($data['source']=='http'){
unlink($path);
@@ -300,4 +308,49 @@ class OC_Installer{
OC_Appconfig::setValue($app,'installed_version',OC_App::getAppVersion($app));
return $info;
}
+
+
+ /**
+ * check the code of an app with some static code checks
+ * @param string $folder the folder of the app to check
+ * @returns true for app is o.k. and false for app is not o.k.
+ */
+ public static function checkCode($appname,$folder){
+
+ $blacklist=array(
+ 'fopen(',
+ 'eval('
+ // more evil pattern will go here later
+ // will will also check if an app is using private api once the public api is in place
+
+ );
+
+ // is the code checker enabled?
+ if(OC_Config::getValue('appcodechecker', false)){
+
+ // check if grep is installed
+ $grep = exec('which grep');
+ if($grep=='') {
+ OC_Log::write('core','grep not installed. So checking the code of the app "'.$appname.'" was not possible',OC_Log::ERROR);
+ return true;
+ }
+
+ // iterate the bad patterns
+ foreach($blacklist as $bl) {
+ $cmd = 'grep -ri '.escapeshellarg($bl).' '.$folder.'';
+ $result = exec($cmd);
+ // bad pattern found
+ if($result<>'') {
+ OC_Log::write('core','App "'.$appname.'" is using a not allowed call "'.$bl.'". Installation refused.',OC_Log::ERROR);
+ return false;
+ }
+ }
+ return true;
+
+ }else{
+ return true;
+ }
+ }
+
+
}