summaryrefslogtreecommitdiffstats
path: root/tests/lib/AppFramework
Commit message (Collapse)AuthorAgeFilesLines
* fix(Entity): Fix magic setter call for custom strong typed settersbackport/48008/stable30provokateurin2024-09-161-2/+7
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* feat: Provide CSP nonce as `<meta>` elementFerdinand Thiessen2024-08-131-1/+0
| | | | | | | | This way we use the CSP nonce for dynamically loaded scripts. Important to notice: The CSP nonce must NOT be injected in `content` as this can lead to value exfiltration using e.g. side-channel attacts (CSS selectors). Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* test: Adjust tests for CSP nonceFerdinand Thiessen2024-08-133-252/+253
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* fix(files_sharing): show proper share not found error messageskjnldsv2024-08-061-2/+4
| | | | Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
* fix(AppFramework): Allow requests with OCS-APIRequest header to pass CSRF checksprovokateurin2024-07-251-0/+20
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* feat(security): Add public API to allow validating IP Ranges and checking ↵Joas Schilling2024-07-191-2/+2
| | | | | | | for "in range" Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* feat(security): restrict admin actions to IP rangesBenjamin Gaussorgues2024-07-191-1/+5
| | | | Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* feat(Security): Warn about using annotations instead of attributesprovokateurin2024-07-182-12/+19
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* feat(AppFramework): Add ExAppRequired attributeprovokateurin2024-07-012-1/+58
| | | | Signed-off-by: provokateurin <kate@provokateurin.de>
* refactor(Token): introduce scope constantsArthur Schiwon2024-06-051-1/+1
| | | | Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* fix(Session): avoid password confirmation on SSOArthur Schiwon2024-06-052-1/+63
| | | | | | | | | | | SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* chore: Add SPDX headerAndy Scherzinger2024-05-1361-1016/+153
| | | | Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
* fix: Fix tests following OC_App migrations to IAppManagerCôme Chilliet2024-04-222-7/+15
| | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* fix: add check for app_api_system session flag to bypass rate limitFlorian Klinger2024-03-181-1/+5
| | | | | Signed-off-by: Florian Klinger <florian.klinger@nextcloud.com> Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com>
* fix xml ocs response for serializable objectsKlaus2024-02-231-0/+39
| | | | | Signed-off-by: sualko <klaus@jsxc.org> Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
* test(request): Add tests to strip the port when forwarding requestsJoas Schilling2024-02-131-288/+119
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Add timezone getter to ITimeFactoryAnna Larch2024-02-131-0/+17
| | | | Signed-off-by: Anna Larch <anna@nextcloud.com>
* better testsMaxence Lange2024-02-011-129/+606
| | | | Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
* fix lintMaxence Lange2024-01-311-18/+18
| | | | Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
* adding testMaxence Lange2024-01-311-0/+214
| | | | Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
* test(unit): fix RequestTestArthur Schiwon2024-01-271-3/+4
| | | | Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* fix(API): Use a distinct exception so apps can react to it and customize the ↵Joas Schilling2023-11-281-1/+2
| | | | | | return Signed-off-by: Joas Schilling <coding@schilljs.com>
* enh(dispatcher): enforce psalm ranges in the http dispatcherArthur Schiwon2023-11-242-0/+68
| | | | | | - allows devs to provide int ranges for API arguments Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* chore: apply changes from Nextcloud coding standards 1.1.1Joas Schilling2023-11-234-11/+11
| | | | | Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
* fix(CSP): Only add `strict-dynamic` when using noncesFerdinand Thiessen2023-11-172-59/+59
| | | | Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* fix!(ContentSecurityPolicy): Make `strict-dynamic` enabled by default on ↵Ferdinand Thiessen2023-11-171-76/+73
| | | | | | `script-src-elem` Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* feat(ContentSecurityPolicy): Allow to set `strict-dynamic` on ↵Ferdinand Thiessen2023-11-172-0/+73
| | | | | | | | | `script-src-elem` only This adds the possibility to set `strict-dynamic` on `script-src-elem` only while keep the default rules for `script-src`. The idea is to allow loading module js which imports other files and thus does not allow nonces on import but on the initial script tag. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* Reverse X-Forwarded-For list to read the correct proxy remote addressJoas Schilling2023-11-161-6/+32
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(dependencyinjection): Allow optional (nullable) servicesChristoph Wurst2023-11-031-0/+24
| | | | | | Allows working with classes that might or might not be available. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Merge pull request #39852 from nextcloud/pragmaHeaderFerdinand Thiessen2023-10-181-2/+0
|\ | | | | Stop sending deprecated Pragma header
| * Stop sending deprecated Pragma headerGit'Fellow2023-08-281-2/+0
| | | | | | | | Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>
* | techdebt(DI): Use public IThrottler interface which exists since Nextcloud 25Joas Schilling2023-08-283-10/+11
|/ | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Allow "wasm-unsafe-eval" in CSPDaniel Calviño Sánchez2023-08-102-0/+14
| | | | | | | | | | | | | | | | | | If a page has a Content Security Policy header and the `script-src` (or `default-src`) directive does not contain neither `wasm-unsafe-eval` nor `unsafe-eval` loading and executing WebAssembly is blocked in the page (although it is still possible to load and execute WebAssembly in a worker thread). Although the Nextcloud classes to manage the CSP already supported allowing `unsafe-eval` this affects not only WebAssembly, but also the `eval` operation in JavaScript. To make possible to allow WebAssembly execution without allowing JavaScript `eval` this commit adds support for allowing `wasm-unsafe-eval`. Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
* fix!: Remove legacy event dispatching Symfony's GenericEvent from ↵Joas Schilling2023-07-271-41/+0
| | | | | | AdditionalScripts Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(request): Allow to match the client version with the ↵Joas Schilling2023-07-111-0/+57
| | | | | | IRequest::USER_AGENT_* regex Signed-off-by: Joas Schilling <coding@schilljs.com>
* Add template types to responsesjld31032023-06-301-1/+4
| | | | Signed-off-by: jld3103 <jld3103yt@gmail.com>
* Allow stdClass in XML responsesjld31032023-06-131-1/+2
| | | | Signed-off-by: jld3103 <jld3103yt@gmail.com>
* chore(appframework)!: Drop ↵Christoph Wurst2023-06-123-37/+3
| | | | | | \OCP\AppFramework\Http\EmptyContentSecurityPolicy::allowInlineScript Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* fix(middleware): Also abort the request when reaching max delay in ↵Joas Schilling2023-05-151-7/+7
| | | | | | afterController Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(security): Add PHP \Attribute for remaining security annotationsJoas Schilling2023-04-258-250/+801
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(ratelimit): Add Attributes support to rate limit middlewareJoas Schilling2023-04-241-103/+170
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Merge branch 'master' into enh/type-iconfig-getter-callsCôme Chilliet2023-04-201-8/+8
|\ | | | | Signed-off-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com>
| * feat(app-framework): Add native argument types for middlewareChristoph Wurst2023-04-181-8/+8
| | | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Adapt tests to config value typingCôme Chilliet2023-04-051-6/+6
|/ | | | Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
* Add a debug message when throttling without definingJoas Schilling2023-03-081-6/+33
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute ↵Joas Schilling2023-03-081-61/+168
| | | | | | and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com>
* feat(appframework): ⌚ Make ITimeFactory extend \PSR\Clock\ClockInterfaceJoas Schilling2023-03-031-0/+49
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Merge pull request #36396 from nextcloud/fix/corsJulius Härtl2023-02-171-1/+35
|\
| * fix(CORS): CORS should only be bypassed on `PublicPage` if not logged in to ↵Ferdinand Thiessen2023-02-161-1/+35
| | | | | | | | | | | | prevent CSRF attack vectors Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>
* | Change X-Robots-Tag header from "none" to "noindex, nofollow"MichaIng2023-02-153-3/+3
| | | | | | | | | | | | | | | | | | | | While "none" is indeed equivalent to "noindex, nofollow" for Google, but seems to be not supported by Bing and probably other search engines. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta/name#other_metadata_names https://developers.google.com/search/docs/crawling-indexing/robots-meta-tag?hl=de#comma-separated-list https://www.bing.com/webmasters/help/which-robots-metatags-does-bing-support-5198d240 Signed-off-by: MichaIng <micha@dietpi.com>
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-25 17:34:02 +0000