diff options
Diffstat (limited to 'lib/private/AppFramework/Middleware/Security')
9 files changed, 28 insertions, 32 deletions
diff --git a/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php b/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php index 46c33083e42..c2d1d7783ed 100644 --- a/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php @@ -63,7 +63,7 @@ class BruteForceMiddleware extends Middleware { public function beforeController($controller, $methodName) { parent::beforeController($controller, $methodName); - if($this->reflector->hasAnnotation('BruteForceProtection')) { + if ($this->reflector->hasAnnotation('BruteForceProtection')) { $action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action'); $this->throttler->sleepDelay($this->request->getRemoteAddress(), $action); } @@ -73,7 +73,7 @@ class BruteForceMiddleware extends Middleware { * {@inheritDoc} */ public function afterController($controller, $methodName, Response $response) { - if($this->reflector->hasAnnotation('BruteForceProtection') && $response->isThrottled()) { + if ($this->reflector->hasAnnotation('BruteForceProtection') && $response->isThrottled()) { $action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action'); $ip = $this->request->getRemoteAddress(); $this->throttler->sleepDelay($ip, $action); diff --git a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php index acfbab25ed4..af6d3de6570 100644 --- a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php @@ -84,7 +84,7 @@ class CORSMiddleware extends Middleware { // ensure that @CORS annotated API routes are not used in conjunction // with session authentication since this enables CSRF attack vectors if ($this->reflector->hasAnnotation('CORS') && - !$this->reflector->hasAnnotation('PublicPage')) { + !$this->reflector->hasAnnotation('PublicPage')) { $user = $this->request->server['PHP_AUTH_USER']; $pass = $this->request->server['PHP_AUTH_PW']; @@ -113,13 +113,13 @@ class CORSMiddleware extends Middleware { public function afterController($controller, $methodName, Response $response) { // only react if its a CORS request and if the request sends origin and - if(isset($this->request->server['HTTP_ORIGIN']) && + if (isset($this->request->server['HTTP_ORIGIN']) && $this->reflector->hasAnnotation('CORS')) { // allow credentials headers must not be true or CSRF is possible // otherwise - foreach($response->getHeaders() as $header => $value) { - if(strtolower($header) === 'access-control-allow-credentials' && + foreach ($response->getHeaders() as $header => $value) { + if (strtolower($header) === 'access-control-allow-credentials' && strtolower(trim($value)) === 'true') { $msg = 'Access-Control-Allow-Credentials must not be '. 'set to true in order to prevent CSRF'; @@ -144,9 +144,9 @@ class CORSMiddleware extends Middleware { * @return Response a Response object or null in case that the exception could not be handled */ public function afterException($controller, $methodName, \Exception $exception) { - if($exception instanceof SecurityException){ + if ($exception instanceof SecurityException) { $response = new JSONResponse(['message' => $exception->getMessage()]); - if($exception->getCode() !== 0) { + if ($exception->getCode() !== 0) { $response->setStatus($exception->getCode()); } else { $response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR); @@ -156,5 +156,4 @@ class CORSMiddleware extends Middleware { throw $exception; } - } diff --git a/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php b/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php index 3b9723cb6b9..057aa1529dc 100644 --- a/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/CSPMiddleware.php @@ -71,7 +71,7 @@ class CSPMiddleware extends Middleware { $defaultPolicy = $this->contentSecurityPolicyManager->getDefaultPolicy(); $defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy); - if($this->cspNonceManager->browserSupportsCspV3()) { + if ($this->cspNonceManager->browserSupportsCspV3()) { $defaultPolicy->useJsNonce($this->csrfTokenManager->getToken()->getEncryptedValue()); } diff --git a/lib/private/AppFramework/Middleware/Security/Exceptions/ReloadExecutionException.php b/lib/private/AppFramework/Middleware/Security/Exceptions/ReloadExecutionException.php index 46673a7e5ee..934cae991b4 100644 --- a/lib/private/AppFramework/Middleware/Security/Exceptions/ReloadExecutionException.php +++ b/lib/private/AppFramework/Middleware/Security/Exceptions/ReloadExecutionException.php @@ -27,5 +27,4 @@ declare(strict_types=1); namespace OC\AppFramework\Middleware\Security\Exceptions; class ReloadExecutionException extends SecurityException { - } diff --git a/lib/private/AppFramework/Middleware/Security/Exceptions/SecurityException.php b/lib/private/AppFramework/Middleware/Security/Exceptions/SecurityException.php index e55f8e3f50a..bfa4116d12e 100644 --- a/lib/private/AppFramework/Middleware/Security/Exceptions/SecurityException.php +++ b/lib/private/AppFramework/Middleware/Security/Exceptions/SecurityException.php @@ -30,4 +30,5 @@ namespace OC\AppFramework\Middleware\Security\Exceptions; * * @package OC\AppFramework\Middleware\Security\Exceptions */ -class SecurityException extends \Exception {} +class SecurityException extends \Exception { +} diff --git a/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php b/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php index c7bf8e2c947..2a7cf982ff8 100644 --- a/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php @@ -86,7 +86,7 @@ class RateLimitingMiddleware extends Middleware { $userLimit = $this->reflector->getAnnotationParameter('UserRateThrottle', 'limit'); $userPeriod = $this->reflector->getAnnotationParameter('UserRateThrottle', 'period'); $rateLimitIdentifier = get_class($controller) . '::' . $methodName; - if($userLimit !== '' && $userPeriod !== '' && $this->userSession->isLoggedIn()) { + if ($userLimit !== '' && $userPeriod !== '' && $this->userSession->isLoggedIn()) { $this->limiter->registerUserRequest( $rateLimitIdentifier, $userLimit, @@ -107,7 +107,7 @@ class RateLimitingMiddleware extends Middleware { * {@inheritDoc} */ public function afterException($controller, $methodName, \Exception $exception) { - if($exception instanceof RateLimitExceededException) { + if ($exception instanceof RateLimitExceededException) { if (stripos($this->request->getHeader('Accept'),'html') === false) { $response = new JSONResponse( [ @@ -116,7 +116,7 @@ class RateLimitingMiddleware extends Middleware { $exception->getCode() ); } else { - $response = new TemplateResponse( + $response = new TemplateResponse( 'core', '403', [ @@ -124,7 +124,7 @@ class RateLimitingMiddleware extends Middleware { ], 'guest' ); - $response->setStatus($exception->getCode()); + $response->setStatus($exception->getCode()); } return $response; diff --git a/lib/private/AppFramework/Middleware/Security/ReloadExecutionMiddleware.php b/lib/private/AppFramework/Middleware/Security/ReloadExecutionMiddleware.php index af34ed57182..12b0ef4e27a 100644 --- a/lib/private/AppFramework/Middleware/Security/ReloadExecutionMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/ReloadExecutionMiddleware.php @@ -65,6 +65,4 @@ class ReloadExecutionMiddleware extends Middleware { return parent::afterException($controller, $methodName, $exception); } - - } diff --git a/lib/private/AppFramework/Middleware/Security/SameSiteCookieMiddleware.php b/lib/private/AppFramework/Middleware/Security/SameSiteCookieMiddleware.php index 5519b8705d9..70d4d4b88df 100644 --- a/lib/private/AppFramework/Middleware/Security/SameSiteCookieMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/SameSiteCookieMiddleware.php @@ -87,11 +87,11 @@ class SameSiteCookieMiddleware extends Middleware { // Append __Host to the cookie if it meets the requirements $cookiePrefix = ''; - if($cookieParams['secure'] === true && $cookieParams['path'] === '/') { + if ($cookieParams['secure'] === true && $cookieParams['path'] === '/') { $cookiePrefix = '__Host-'; } - foreach($policies as $policy) { + foreach ($policies as $policy) { header( sprintf( 'Set-Cookie: %snc_sameSiteCookie%s=true; path=%s; httponly;' . $secureCookie . 'expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=%s', diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php index 0ae2d37b374..5eb1d7f30be 100644 --- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php @@ -137,17 +137,17 @@ class SecurityMiddleware extends Middleware { // security checks $isPublicPage = $this->reflector->hasAnnotation('PublicPage'); - if(!$isPublicPage) { - if(!$this->isLoggedIn) { + if (!$isPublicPage) { + if (!$this->isLoggedIn) { throw new NotLoggedInException(); } - if($this->reflector->hasAnnotation('SubAdminRequired') + if ($this->reflector->hasAnnotation('SubAdminRequired') && !$this->isSubAdmin && !$this->isAdminUser) { throw new NotAdminException($this->l10n->t('Logged in user must be an admin or sub admin')); } - if(!$this->reflector->hasAnnotation('SubAdminRequired') + if (!$this->reflector->hasAnnotation('SubAdminRequired') && !$this->reflector->hasAnnotation('NoAdminRequired') && !$this->isAdminUser) { throw new NotAdminException($this->l10n->t('Logged in user must be an admin')); @@ -155,14 +155,14 @@ class SecurityMiddleware extends Middleware { } // Check for strict cookie requirement - if($this->reflector->hasAnnotation('StrictCookieRequired') || !$this->reflector->hasAnnotation('NoCSRFRequired')) { - if(!$this->request->passesStrictCookieCheck()) { + if ($this->reflector->hasAnnotation('StrictCookieRequired') || !$this->reflector->hasAnnotation('NoCSRFRequired')) { + if (!$this->request->passesStrictCookieCheck()) { throw new StrictCookieMissingException(); } } // CSRF check - also registers the CSRF token since the session may be closed later Util::callRegister(); - if(!$this->reflector->hasAnnotation('NoCSRFRequired')) { + if (!$this->reflector->hasAnnotation('NoCSRFRequired')) { /* * Only allow the CSRF check to fail on OCS Requests. This kind of * hacks around that we have no full token auth in place yet and we @@ -171,7 +171,7 @@ class SecurityMiddleware extends Middleware { * Additionally we allow Bearer authenticated requests to pass on OCS routes. * This allows oauth apps (e.g. moodle) to use the OCS endpoints */ - if(!$this->request->passesCSRFCheck() && !( + if (!$this->request->passesCSRFCheck() && !( $controller instanceof OCSController && ( $this->request->getHeader('OCS-APIREQUEST') === 'true' || strpos($this->request->getHeader('Authorization'), 'Bearer ') === 0 @@ -209,8 +209,8 @@ class SecurityMiddleware extends Middleware { * @return Response a Response object or null in case that the exception could not be handled */ public function afterException($controller, $methodName, \Exception $exception): Response { - if($exception instanceof SecurityException) { - if($exception instanceof StrictCookieMissingException) { + if ($exception instanceof SecurityException) { + if ($exception instanceof StrictCookieMissingException) { return new RedirectResponse(\OC::$WEBROOT); } if (stripos($this->request->getHeader('Accept'),'html') === false) { @@ -219,7 +219,7 @@ class SecurityMiddleware extends Middleware { $exception->getCode() ); } else { - if($exception instanceof NotLoggedInException) { + if ($exception instanceof NotLoggedInException) { $params = []; if (isset($this->request->server['REQUEST_URI'])) { $params['redirect_url'] = $this->request->server['REQUEST_URI']; @@ -241,5 +241,4 @@ class SecurityMiddleware extends Middleware { throw $exception; } - } |