From 95bafb49804ba893e40f3f367c55ef9b0fa9e963 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Mon, 30 Sep 2024 23:53:53 +0200
Subject: ci: Improve usability of running different psalm modes locally

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 .github/workflows/static-code-analysis.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to '.github/workflows')

diff --git a/.github/workflows/static-code-analysis.yml b/.github/workflows/static-code-analysis.yml
index 83b7452ee89..1fd77dccea4 100644
--- a/.github/workflows/static-code-analysis.yml
+++ b/.github/workflows/static-code-analysis.yml
@@ -34,7 +34,7 @@ jobs:
         run: composer i
 
       - name: Psalm
-        run: composer run psalm:ci -- --monochrome --no-progress --output-format=github --update-baseline --report=results.sarif
+        run: composer run psalm -- --threads=1 --monochrome --no-progress --output-format=github --update-baseline --report=results.sarif
 
       - name: Show potential changes in Psalm baseline
         if: always()
@@ -66,7 +66,7 @@ jobs:
         run: composer i
 
       - name: Psalm taint analysis
-        run: composer run psalm:ci -- --monochrome --no-progress --output-format=github --report=results.sarif --taint-analysis --ignore-baseline
+        run: composer run psalm:security -- --threads=1 --monochrome --no-progress --output-format=github --report=results.sarif
 
       - name: Upload Security Analysis results to GitHub
         if: always()
@@ -96,7 +96,7 @@ jobs:
         run: composer i
 
       - name: Psalm
-        run: composer run psalm:ci -- -c psalm-ocp.xml --monochrome --no-progress --output-format=github --update-baseline
+        run: composer run psalm:ocp -- --threads=1 --monochrome --no-progress --output-format=github --update-baseline
 
       - name: Show potential changes in Psalm baseline
         if: always()
-- 
cgit v1.2.3


From 990ee44015da720acbcf22dfe583b181dd1655fd Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Mon, 30 Sep 2024 23:57:39 +0200
Subject: ci: Don't upload output of normal psalm to GitHub Security section

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 .github/workflows/static-code-analysis.yml | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

(limited to '.github/workflows')

diff --git a/.github/workflows/static-code-analysis.yml b/.github/workflows/static-code-analysis.yml
index 1fd77dccea4..63ad51a26c6 100644
--- a/.github/workflows/static-code-analysis.yml
+++ b/.github/workflows/static-code-analysis.yml
@@ -34,18 +34,12 @@ jobs:
         run: composer i
 
       - name: Psalm
-        run: composer run psalm -- --threads=1 --monochrome --no-progress --output-format=github --update-baseline --report=results.sarif
+        run: composer run psalm -- --threads=1 --monochrome --no-progress --output-format=github --update-baseline
 
       - name: Show potential changes in Psalm baseline
         if: always()
         run: git diff --exit-code -- . ':!lib/composer'
 
-      - name: Upload Analysis results to GitHub
-        if: always()
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: results.sarif
-
   static-code-analysis-security:
     runs-on: ubuntu-latest
 
-- 
cgit v1.2.3


From 570a9e208fa638c35f5ec1c9754acf2a66aa587d Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Tue, 1 Oct 2024 00:09:15 +0200
Subject: ci: Add psalm baseline for security and make CI fail on change

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 .github/CODEOWNERS                         |   2 +-
 .github/workflows/static-code-analysis.yml |   6 +-
 .reuse/dep5                                |   2 +-
 build/psalm-baseline-security.xml          | 138 +++++++++++++++++++++++++++++
 composer.json                              |   2 +-
 5 files changed, 146 insertions(+), 4 deletions(-)
 create mode 100644 build/psalm-baseline-security.xml

(limited to '.github/workflows')

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index e448bf922ce..afe17a95f84 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -37,9 +37,9 @@
 /apps/files_trashbin/src*         @skjnldsv
 
 # Security team
+/build/psalm-baseline-security.xml  @nickvergessen
 /resources/codesigning              @mgallien @miaulalala @nickvergessen
 /resources/config/ca-bundle.crt     @ChristophWurst @miaulalala @nickvergessen
-/.drone.yml                         @nickvergessen
 
 # Two-Factor Authentication
 # https://github.com/nextcloud/wg-two-factor-authentication#members
diff --git a/.github/workflows/static-code-analysis.yml b/.github/workflows/static-code-analysis.yml
index 63ad51a26c6..c5e8e957077 100644
--- a/.github/workflows/static-code-analysis.yml
+++ b/.github/workflows/static-code-analysis.yml
@@ -60,7 +60,11 @@ jobs:
         run: composer i
 
       - name: Psalm taint analysis
-        run: composer run psalm:security -- --threads=1 --monochrome --no-progress --output-format=github --report=results.sarif
+        run: composer run psalm:security -- --threads=1 --monochrome --no-progress --output-format=github --update-baseline --report=results.sarif
+
+      - name: Show potential changes in Psalm baseline
+        if: always()
+        run: git diff --exit-code -- . ':!lib/composer'
 
       - name: Upload Security Analysis results to GitHub
         if: always()
diff --git a/.reuse/dep5 b/.reuse/dep5
index 940d8160815..7cbbb64b63c 100644
--- a/.reuse/dep5
+++ b/.reuse/dep5
@@ -103,7 +103,7 @@ Files: core/img/desktopapp.svg
 Copyright: 2016-2024 Nextcloud GmbH and Nextcloud contributors
 License: AGPL-3.0-or-later
 
-Files: build/psalm-baseline-ocp.xml build/psalm-baseline.xml build/stubs/xsl.php build/stubs/gd.php build/stubs/imagick.php build/stubs/intl.php build/stubs/IntlChar.php build/stubs/ldap.php build/stubs/memcached.php build/stubs/redis.php build/stubs/redis_cluster.php build/stubs/sftp.php build/stubs/ssh2.php build/stubs/apcu.php
+Files: build/psalm-baseline-ocp.xml build/psalm-baseline-security.xml build/psalm-baseline.xml build/stubs/xsl.php build/stubs/gd.php build/stubs/imagick.php build/stubs/intl.php build/stubs/IntlChar.php build/stubs/ldap.php build/stubs/memcached.php build/stubs/redis.php build/stubs/redis_cluster.php build/stubs/sftp.php build/stubs/ssh2.php build/stubs/apcu.php
 Copyright: 2020 Nextcloud GmbH and Nextcloud contributors
 License: AGPL-3.0-or-later
 
diff --git a/build/psalm-baseline-security.xml b/build/psalm-baseline-security.xml
new file mode 100644
index 00000000000..c42b10d75c6
--- /dev/null
+++ b/build/psalm-baseline-security.xml
@@ -0,0 +1,138 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<files psalm-version="5.26.1@d747f6500b38ac4f7dfc5edbcae6e4b637d7add0">
+  <file src="apps/admin_audit/lib/Actions/Action.php">
+    <TaintedHtml>
+      <code><![CDATA[$params]]></code>
+    </TaintedHtml>
+  </file>
+  <file src="apps/files_external/lib/Config/ConfigAdapter.php">
+    <TaintedCallable>
+      <code><![CDATA[$objectClass]]></code>
+    </TaintedCallable>
+  </file>
+  <file src="apps/theming/lib/IconBuilder.php">
+    <TaintedFile>
+      <code><![CDATA[$appIcon]]></code>
+      <code><![CDATA[$imageFile]]></code>
+    </TaintedFile>
+  </file>
+  <file src="lib/base.php">
+    <TaintedHeader>
+      <code><![CDATA['Location: ' . $url]]></code>
+      <code><![CDATA['Location: ' . \OC::$WEBROOT . '/']]></code>
+    </TaintedHeader>
+  </file>
+  <file src="lib/private/App/InfoParser.php">
+    <TaintedFile>
+      <code><![CDATA[$file]]></code>
+    </TaintedFile>
+  </file>
+  <file src="lib/private/AppFramework/Utility/SimpleContainer.php">
+    <TaintedCallable>
+      <code><![CDATA[$name]]></code>
+    </TaintedCallable>
+  </file>
+  <file src="lib/private/Config.php">
+    <TaintedHtml>
+      <code><![CDATA[$this->cache]]></code>
+    </TaintedHtml>
+  </file>
+  <file src="lib/private/EventSource.php">
+    <TaintedHeader>
+      <code><![CDATA['Location: ' . \OC::$WEBROOT]]></code>
+    </TaintedHeader>
+  </file>
+  <file src="lib/private/Http/CookieHelper.php">
+    <TaintedHeader>
+      <code><![CDATA[$header]]></code>
+    </TaintedHeader>
+  </file>
+  <file src="lib/private/Installer.php">
+    <TaintedFile>
+      <code><![CDATA[$baseDir]]></code>
+    </TaintedFile>
+  </file>
+  <file src="lib/private/OCS/ApiHelper.php">
+    <TaintedHtml>
+      <code><![CDATA[$body]]></code>
+    </TaintedHtml>
+    <TaintedTextWithQuotes>
+      <code><![CDATA[$body]]></code>
+    </TaintedTextWithQuotes>
+  </file>
+  <file src="lib/private/Route/Router.php">
+    <TaintedCallable>
+      <code><![CDATA[$appNameSpace . '\\Controller\\' . basename($file->getPathname(), '.php')]]></code>
+    </TaintedCallable>
+  </file>
+  <file src="lib/private/ServerContainer.php">
+    <TaintedCallable>
+      <code><![CDATA[$applicationClassName]]></code>
+    </TaintedCallable>
+  </file>
+  <file src="lib/private/Session/CryptoWrapper.php">
+    <TaintedCookie>
+      <code><![CDATA[$this->passphrase]]></code>
+    </TaintedCookie>
+  </file>
+  <file src="lib/private/Setup.php">
+    <TaintedFile>
+      <code><![CDATA[$dataDir]]></code>
+    </TaintedFile>
+  </file>
+  <file src="lib/private/Setup/Sqlite.php">
+    <TaintedFile>
+      <code><![CDATA[$sqliteFile]]></code>
+    </TaintedFile>
+  </file>
+  <file src="lib/private/legacy/OC_Helper.php">
+    <TaintedFile>
+      <code><![CDATA[$dest]]></code>
+      <code><![CDATA[$dest]]></code>
+      <code><![CDATA[$dir]]></code>
+      <code><![CDATA[$dir]]></code>
+    </TaintedFile>
+  </file>
+  <file src="lib/private/legacy/OC_JSON.php">
+    <TaintedHeader>
+      <code><![CDATA['Location: ' . \OC::$WEBROOT]]></code>
+    </TaintedHeader>
+    <TaintedHtml>
+      <code><![CDATA[self::encode($data)]]></code>
+      <code><![CDATA[self::encode($data)]]></code>
+    </TaintedHtml>
+    <TaintedTextWithQuotes>
+      <code><![CDATA[self::encode($data)]]></code>
+      <code><![CDATA[self::encode($data)]]></code>
+    </TaintedTextWithQuotes>
+  </file>
+  <file src="lib/private/legacy/OC_Template.php">
+    <TaintedHtml>
+      <code><![CDATA[$exception->getTraceAsString()]]></code>
+    </TaintedHtml>
+    <TaintedTextWithQuotes>
+      <code><![CDATA[$exception->getTraceAsString()]]></code>
+    </TaintedTextWithQuotes>
+  </file>
+  <file src="lib/public/DB/QueryBuilder/IQueryBuilder.php">
+    <TaintedSql>
+      <code><![CDATA[$column]]></code>
+    </TaintedSql>
+  </file>
+  <file src="lib/public/IDBConnection.php">
+    <TaintedSql>
+      <code><![CDATA[$sql]]></code>
+      <code><![CDATA[$sql]]></code>
+      <code><![CDATA[$sql]]></code>
+      <code><![CDATA[$sql]]></code>
+    </TaintedSql>
+  </file>
+  <file src="ocs-provider/index.php">
+    <TaintedHtml>
+      <code><![CDATA[$controller->buildProviderList()->render()]]></code>
+    </TaintedHtml>
+    <TaintedTextWithQuotes>
+      <code><![CDATA[$controller->buildProviderList()->render()]]></code>
+    </TaintedTextWithQuotes>
+  </file>
+</files>
diff --git a/composer.json b/composer.json
index 86908c10c88..5912a81f987 100644
--- a/composer.json
+++ b/composer.json
@@ -60,7 +60,7 @@
 		"lint": "find . -name \\*.php -not -path './lib/composer/*' -not -path './build/stubs/*' -print0 | xargs -0 -n1 php -l",
 		"psalm": "psalm --no-cache --threads=$(nproc)",
 		"psalm:ocp": "psalm --no-cache --threads=$(nproc) -c psalm-ocp.xml",
-		"psalm:security": "psalm --no-cache --threads=$(nproc) --taint-analysis --ignore-baseline",
+		"psalm:security": "psalm --no-cache --threads=$(nproc) --taint-analysis --use-baseline=build/psalm-baseline-security.xml",
 		"psalm:update-baseline": "psalm --no-cache --threads=$(nproc) --update-baseline",
 		"serve": [
 			"Composer\\Config::disableProcessTimeout",
-- 
cgit v1.2.3