From 0107c7ea24a28779dad09117d8dc5a4a49b95dc5 Mon Sep 17 00:00:00 2001 From: Côme Chilliet Date: Mon, 13 Nov 2023 17:07:25 +0100 Subject: Migrate Forwarded For Headers check to new API MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- .../composer/composer/autoload_classmap.php | 1 + .../settings/composer/composer/autoload_static.php | 1 + apps/settings/lib/AppInfo/Application.php | 2 + .../lib/Controller/CheckSetupController.php | 26 ------- .../lib/SetupChecks/ForwardedForHeaders.php | 88 ++++++++++++++++++++++ .../tests/Controller/CheckSetupControllerTest.php | 1 - 6 files changed, 92 insertions(+), 27 deletions(-) create mode 100644 apps/settings/lib/SetupChecks/ForwardedForHeaders.php (limited to 'apps') diff --git a/apps/settings/composer/composer/autoload_classmap.php b/apps/settings/composer/composer/autoload_classmap.php index d578167a597..e6d1f3ff83f 100644 --- a/apps/settings/composer/composer/autoload_classmap.php +++ b/apps/settings/composer/composer/autoload_classmap.php @@ -78,6 +78,7 @@ return array( 'OCA\\Settings\\SetupChecks\\DefaultPhoneRegionSet' => $baseDir . '/../lib/SetupChecks/DefaultPhoneRegionSet.php', 'OCA\\Settings\\SetupChecks\\EmailTestSuccessful' => $baseDir . '/../lib/SetupChecks/EmailTestSuccessful.php', 'OCA\\Settings\\SetupChecks\\FileLocking' => $baseDir . '/../lib/SetupChecks/FileLocking.php', + 'OCA\\Settings\\SetupChecks\\ForwardedForHeaders' => $baseDir . '/../lib/SetupChecks/ForwardedForHeaders.php', 'OCA\\Settings\\SetupChecks\\InternetConnectivity' => $baseDir . '/../lib/SetupChecks/InternetConnectivity.php', 'OCA\\Settings\\SetupChecks\\LegacySSEKeyFormat' => $baseDir . '/../lib/SetupChecks/LegacySSEKeyFormat.php', 'OCA\\Settings\\SetupChecks\\MemcacheConfigured' => $baseDir . '/../lib/SetupChecks/MemcacheConfigured.php', diff --git a/apps/settings/composer/composer/autoload_static.php b/apps/settings/composer/composer/autoload_static.php index d6506f2bebc..1a95f65119a 100644 --- a/apps/settings/composer/composer/autoload_static.php +++ b/apps/settings/composer/composer/autoload_static.php @@ -93,6 +93,7 @@ class ComposerStaticInitSettings 'OCA\\Settings\\SetupChecks\\DefaultPhoneRegionSet' => __DIR__ . '/..' . '/../lib/SetupChecks/DefaultPhoneRegionSet.php', 'OCA\\Settings\\SetupChecks\\EmailTestSuccessful' => __DIR__ . '/..' . '/../lib/SetupChecks/EmailTestSuccessful.php', 'OCA\\Settings\\SetupChecks\\FileLocking' => __DIR__ . '/..' . '/../lib/SetupChecks/FileLocking.php', + 'OCA\\Settings\\SetupChecks\\ForwardedForHeaders' => __DIR__ . '/..' . '/../lib/SetupChecks/ForwardedForHeaders.php', 'OCA\\Settings\\SetupChecks\\InternetConnectivity' => __DIR__ . '/..' . '/../lib/SetupChecks/InternetConnectivity.php', 'OCA\\Settings\\SetupChecks\\LegacySSEKeyFormat' => __DIR__ . '/..' . '/../lib/SetupChecks/LegacySSEKeyFormat.php', 'OCA\\Settings\\SetupChecks\\MemcacheConfigured' => __DIR__ . '/..' . '/../lib/SetupChecks/MemcacheConfigured.php', diff --git a/apps/settings/lib/AppInfo/Application.php b/apps/settings/lib/AppInfo/Application.php index 6f4a94bdda9..d694e650b48 100644 --- a/apps/settings/lib/AppInfo/Application.php +++ b/apps/settings/lib/AppInfo/Application.php @@ -53,6 +53,7 @@ use OCA\Settings\SetupChecks\CheckUserCertificates; use OCA\Settings\SetupChecks\DefaultPhoneRegionSet; use OCA\Settings\SetupChecks\EmailTestSuccessful; use OCA\Settings\SetupChecks\FileLocking; +use OCA\Settings\SetupChecks\ForwardedForHeaders; use OCA\Settings\SetupChecks\InternetConnectivity; use OCA\Settings\SetupChecks\LegacySSEKeyFormat; use OCA\Settings\SetupChecks\MemcacheConfigured; @@ -162,6 +163,7 @@ class Application extends App implements IBootstrap { $context->registerSetupCheck(DefaultPhoneRegionSet::class); $context->registerSetupCheck(EmailTestSuccessful::class); $context->registerSetupCheck(FileLocking::class); + $context->registerSetupCheck(ForwardedForHeaders::class); $context->registerSetupCheck(InternetConnectivity::class); $context->registerSetupCheck(LegacySSEKeyFormat::class); $context->registerSetupCheck(MemcacheConfigured::class); diff --git a/apps/settings/lib/Controller/CheckSetupController.php b/apps/settings/lib/Controller/CheckSetupController.php index 6d74a670a07..13e54063d8a 100644 --- a/apps/settings/lib/Controller/CheckSetupController.php +++ b/apps/settings/lib/Controller/CheckSetupController.php @@ -246,31 +246,6 @@ class CheckSetupController extends Controller { return ''; } - /** - * Check if the reverse proxy configuration is working as expected - * - * @return bool - */ - private function forwardedForHeadersWorking(): bool { - $trustedProxies = $this->config->getSystemValue('trusted_proxies', []); - $remoteAddress = $this->request->getHeader('REMOTE_ADDR'); - - if (empty($trustedProxies) && $this->request->getHeader('X-Forwarded-Host') !== '') { - return false; - } - - if (\is_array($trustedProxies)) { - if (\in_array($remoteAddress, $trustedProxies, true) && $remoteAddress !== '127.0.0.1') { - return $remoteAddress !== $this->request->getRemoteAddress(); - } - } else { - return false; - } - - // either not enabled or working correctly - return true; - } - /** * Checks if the correct memcache module for PHP is installed. Only * fails if memcached is configured and the working module is not installed. @@ -721,7 +696,6 @@ Raw output 'cronErrors' => $this->getCronErrors(), 'isFairUseOfFreePushService' => $this->isFairUseOfFreePushService(), 'isUsedTlsLibOutdated' => $this->isUsedTlsLibOutdated(), - 'forwardedForHeadersWorking' => $this->forwardedForHeadersWorking(), 'reverseProxyDocs' => $this->urlGenerator->linkToDocs('admin-reverse-proxy'), 'isCorrectMemcachedPHPModuleInstalled' => $this->isCorrectMemcachedPHPModuleInstalled(), 'hasPassedCodeIntegrityCheck' => $this->checker->hasPassedCheck(), diff --git a/apps/settings/lib/SetupChecks/ForwardedForHeaders.php b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php new file mode 100644 index 00000000000..140888835af --- /dev/null +++ b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php @@ -0,0 +1,88 @@ + + * + * @author Côme Chilliet + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + */ + +namespace OCA\Settings\SetupChecks; + +use OCP\IConfig; +use OCP\IL10N; +use OCP\IRequest; +use OCP\IURLGenerator; +use OCP\SetupCheck\ISetupCheck; +use OCP\SetupCheck\SetupResult; + +class ForwardedForHeaders implements ISetupCheck { + public function __construct( + private IL10N $l10n, + private IConfig $config, + private IURLGenerator $urlGenerator, + private IRequest $request, + ) { + } + + public function getCategory(): string { + return 'security'; + } + + public function getName(): string { + return $this->l10n->t('Forwared for headers'); + } + + public function run(): SetupResult { + $trustedProxies = $this->config->getSystemValue('trusted_proxies', []); + $remoteAddress = $this->request->getHeader('REMOTE_ADDR'); + + if (!\is_array($trustedProxies)) { + return SetupResult::error($this->l10n->t('Your trusted_proxies setting is not correctly set, it should be an array.')); + } + + if (($remoteAddress === '') && ($this->request->getRemoteAddress() === '')) { + /* Most likely we were called from CLI */ + return SetupResult::info('Your remote address could not be determined.'); + } + + if (empty($trustedProxies) && $this->request->getHeader('X-Forwarded-Host') !== '') { + return SetupResult::warning( + $this->l10n->t('The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.'), + $this->urlGenerator->linkToDocs('admin-reverse-proxy') + ); + } + + if (\in_array($remoteAddress, $trustedProxies, true) && ($remoteAddress !== '127.0.0.1')) { + if ($remoteAddress !== $this->request->getRemoteAddress()) { + /* Remote address was successfuly fixed */ + return SetupResult::success('Working'); + } else { + return SetupResult::warning( + $this->l10n->t('The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.'), + $this->urlGenerator->linkToDocs('admin-reverse-proxy') + ); + } + } + + /* Either not enabled or working correctly */ + return SetupResult::success(); + } +} diff --git a/apps/settings/tests/Controller/CheckSetupControllerTest.php b/apps/settings/tests/Controller/CheckSetupControllerTest.php index 0437d8a38b3..2df86a7b49c 100644 --- a/apps/settings/tests/Controller/CheckSetupControllerTest.php +++ b/apps/settings/tests/Controller/CheckSetupControllerTest.php @@ -415,7 +415,6 @@ class CheckSetupControllerTest extends TestCase { ], 'cronErrors' => [], 'isUsedTlsLibOutdated' => '', - 'forwardedForHeadersWorking' => false, 'reverseProxyDocs' => 'reverse-proxy-doc-link', 'isCorrectMemcachedPHPModuleInstalled' => true, 'hasPassedCodeIntegrityCheck' => true, -- cgit v1.2.3 From 0ebd44abb666e50f551b030dca3fbd6af03c5d1f Mon Sep 17 00:00:00 2001 From: Côme Chilliet Date: Mon, 13 Nov 2023 17:25:21 +0100 Subject: Migrate tests of forwarded for headers check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- .../tests/Controller/CheckSetupControllerTest.php | 90 +------------ .../tests/SetupChecks/ForwardedForHeadersTest.php | 140 +++++++++++++++++++++ 2 files changed, 142 insertions(+), 88 deletions(-) create mode 100644 apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php (limited to 'apps') diff --git a/apps/settings/tests/Controller/CheckSetupControllerTest.php b/apps/settings/tests/Controller/CheckSetupControllerTest.php index 2df86a7b49c..fb2aa1a975d 100644 --- a/apps/settings/tests/Controller/CheckSetupControllerTest.php +++ b/apps/settings/tests/Controller/CheckSetupControllerTest.php @@ -204,87 +204,6 @@ class CheckSetupControllerTest extends TestCase { $this->dirsToRemove = []; } - /** - * @dataProvider dataForwardedForHeadersWorking - * - * @param array $trustedProxies - * @param string $remoteAddrNotForwarded - * @param string $remoteAddr - * @param bool $result - */ - public function testForwardedForHeadersWorking(array $trustedProxies, string $remoteAddrNotForwarded, string $remoteAddr, bool $result): void { - $this->config->expects($this->once()) - ->method('getSystemValue') - ->with('trusted_proxies', []) - ->willReturn($trustedProxies); - $this->request->expects($this->atLeastOnce()) - ->method('getHeader') - ->willReturnMap([ - ['REMOTE_ADDR', $remoteAddrNotForwarded], - ['X-Forwarded-Host', ''] - ]); - $this->request->expects($this->any()) - ->method('getRemoteAddress') - ->willReturn($remoteAddr); - - $this->assertEquals( - $result, - self::invokePrivate($this->checkSetupController, 'forwardedForHeadersWorking') - ); - } - - public function dataForwardedForHeadersWorking(): array { - return [ - // description => trusted proxies, getHeader('REMOTE_ADDR'), getRemoteAddr, expected result - 'no trusted proxies' => [[], '2.2.2.2', '2.2.2.2', true], - 'trusted proxy, remote addr not trusted proxy' => [['1.1.1.1'], '2.2.2.2', '2.2.2.2', true], - 'trusted proxy, remote addr is trusted proxy, x-forwarded-for working' => [['1.1.1.1'], '1.1.1.1', '2.2.2.2', true], - 'trusted proxy, remote addr is trusted proxy, x-forwarded-for not set' => [['1.1.1.1'], '1.1.1.1', '1.1.1.1', false], - ]; - } - - public function testForwardedHostPresentButTrustedProxiesNotAnArray(): void { - $this->config->expects($this->once()) - ->method('getSystemValue') - ->with('trusted_proxies', []) - ->willReturn('1.1.1.1'); - $this->request->expects($this->atLeastOnce()) - ->method('getHeader') - ->willReturnMap([ - ['REMOTE_ADDR', '1.1.1.1'], - ['X-Forwarded-Host', 'nextcloud.test'] - ]); - $this->request->expects($this->any()) - ->method('getRemoteAddress') - ->willReturn('1.1.1.1'); - - $this->assertEquals( - false, - self::invokePrivate($this->checkSetupController, 'forwardedForHeadersWorking') - ); - } - - public function testForwardedHostPresentButTrustedProxiesEmpty(): void { - $this->config->expects($this->once()) - ->method('getSystemValue') - ->with('trusted_proxies', []) - ->willReturn([]); - $this->request->expects($this->atLeastOnce()) - ->method('getHeader') - ->willReturnMap([ - ['REMOTE_ADDR', '1.1.1.1'], - ['X-Forwarded-Host', 'nextcloud.test'] - ]); - $this->request->expects($this->any()) - ->method('getRemoteAddress') - ->willReturn('1.1.1.1'); - - $this->assertEquals( - false, - self::invokePrivate($this->checkSetupController, 'forwardedForHeadersWorking') - ); - } - public function testCheck() { $this->config->expects($this->any()) ->method('getAppValue') @@ -302,13 +221,8 @@ class CheckSetupControllerTest extends TestCase { ['appstoreenabled', true, false], ]); - $this->request->expects($this->atLeastOnce()) - ->method('getHeader') - ->willReturnMap([ - ['REMOTE_ADDR', '4.3.2.1'], - ['X-Forwarded-Host', ''] - ]); - + $this->request->expects($this->never()) + ->method('getHeader'); $this->clientService->expects($this->never()) ->method('newClient'); $this->checkSetupController diff --git a/apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php b/apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php new file mode 100644 index 00000000000..9da2bccda79 --- /dev/null +++ b/apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php @@ -0,0 +1,140 @@ + + * + * @author Morris Jobke + * @author Côme Chilliet + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + */ +namespace OCA\Settings\Tests; + +use OCA\Settings\SetupChecks\ForwardedForHeaders; +use OCP\IConfig; +use OCP\IL10N; +use OCP\IRequest; +use OCP\IURLGenerator; +use OCP\SetupCheck\SetupResult; +use Test\TestCase; + +class ForwardedForHeadersTest extends TestCase { + private IL10N $l10n; + private IConfig $config; + private IURLGenerator $urlGenerator; + private IRequest $request; + private ForwardedForHeaders $check; + + protected function setUp(): void { + parent::setUp(); + + $this->l10n = $this->getMockBuilder(IL10N::class) + ->disableOriginalConstructor()->getMock(); + $this->l10n->expects($this->any()) + ->method('t') + ->willReturnCallback(function ($message, array $replace) { + return vsprintf($message, $replace); + }); + $this->config = $this->getMockBuilder(IConfig::class)->getMock(); + $this->urlGenerator = $this->getMockBuilder(IURLGenerator::class)->getMock(); + $this->request = $this->getMockBuilder(IRequest::class)->getMock(); + $this->check = new ForwardedForHeaders( + $this->l10n, + $this->config, + $this->urlGenerator, + $this->request, + ); + } + + /** + * @dataProvider dataForwardedForHeadersWorking + */ + public function testForwardedForHeadersWorking(array $trustedProxies, string $remoteAddrNotForwarded, string $remoteAddr, string $result): void { + $this->config->expects($this->once()) + ->method('getSystemValue') + ->with('trusted_proxies', []) + ->willReturn($trustedProxies); + $this->request->expects($this->atLeastOnce()) + ->method('getHeader') + ->willReturnMap([ + ['REMOTE_ADDR', $remoteAddrNotForwarded], + ['X-Forwarded-Host', ''] + ]); + $this->request->expects($this->any()) + ->method('getRemoteAddress') + ->willReturn($remoteAddr); + + $this->assertEquals( + $result, + $this->check->run()->getSeverity() + ); + } + + public function dataForwardedForHeadersWorking(): array { + return [ + // description => trusted proxies, getHeader('REMOTE_ADDR'), getRemoteAddr, expected result + 'no trusted proxies' => [[], '2.2.2.2', '2.2.2.2', SetupResult::SUCCESS], + 'trusted proxy, remote addr not trusted proxy' => [['1.1.1.1'], '2.2.2.2', '2.2.2.2', SetupResult::SUCCESS], + 'trusted proxy, remote addr is trusted proxy, x-forwarded-for working' => [['1.1.1.1'], '1.1.1.1', '2.2.2.2', SetupResult::SUCCESS], + 'trusted proxy, remote addr is trusted proxy, x-forwarded-for not set' => [['1.1.1.1'], '1.1.1.1', '1.1.1.1', SetupResult::WARNING], + ]; + } + + public function testForwardedHostPresentButTrustedProxiesNotAnArray(): void { + $this->config->expects($this->once()) + ->method('getSystemValue') + ->with('trusted_proxies', []) + ->willReturn('1.1.1.1'); + $this->request->expects($this->atLeastOnce()) + ->method('getHeader') + ->willReturnMap([ + ['REMOTE_ADDR', '1.1.1.1'], + ['X-Forwarded-Host', 'nextcloud.test'] + ]); + $this->request->expects($this->any()) + ->method('getRemoteAddress') + ->willReturn('1.1.1.1'); + + $this->assertEquals( + SetupResult::ERROR, + $this->check->run()->getSeverity() + ); + } + + public function testForwardedHostPresentButTrustedProxiesEmpty(): void { + $this->config->expects($this->once()) + ->method('getSystemValue') + ->with('trusted_proxies', []) + ->willReturn([]); + $this->request->expects($this->atLeastOnce()) + ->method('getHeader') + ->willReturnMap([ + ['REMOTE_ADDR', '1.1.1.1'], + ['X-Forwarded-Host', 'nextcloud.test'] + ]); + $this->request->expects($this->any()) + ->method('getRemoteAddress') + ->willReturn('1.1.1.1'); + + $this->assertEquals( + SetupResult::WARNING, + $this->check->run()->getSeverity() + ); + } +} -- cgit v1.2.3 From f47a2bbcae72f9fa1e52fe3c28d98b7edfe9535e Mon Sep 17 00:00:00 2001 From: Côme Chilliet Date: Mon, 20 Nov 2023 15:45:46 +0100 Subject: Improve wrong configuration error message when we know it’s wrong. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- apps/settings/lib/SetupChecks/ForwardedForHeaders.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'apps') diff --git a/apps/settings/lib/SetupChecks/ForwardedForHeaders.php b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php index 140888835af..5ba966f380b 100644 --- a/apps/settings/lib/SetupChecks/ForwardedForHeaders.php +++ b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php @@ -64,8 +64,8 @@ class ForwardedForHeaders implements ISetupCheck { } if (empty($trustedProxies) && $this->request->getHeader('X-Forwarded-Host') !== '') { - return SetupResult::warning( - $this->l10n->t('The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.'), + return SetupResult::error( + $this->l10n->t('The reverse proxy header configuration is incorrect. This is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.'), $this->urlGenerator->linkToDocs('admin-reverse-proxy') ); } -- cgit v1.2.3 From f023216cf47ad2d6e69a16d69718d22e4d06ec2f Mon Sep 17 00:00:00 2001 From: Côme Chilliet Date: Mon, 20 Nov 2023 15:52:28 +0100 Subject: Make it an error if address is not known and we are not in CLI MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- apps/settings/lib/SetupChecks/BruteForceThrottler.php | 10 +++++++--- apps/settings/lib/SetupChecks/ForwardedForHeaders.php | 9 +++++++-- 2 files changed, 14 insertions(+), 5 deletions(-) (limited to 'apps') diff --git a/apps/settings/lib/SetupChecks/BruteForceThrottler.php b/apps/settings/lib/SetupChecks/BruteForceThrottler.php index 6c1efd56bc1..88de5c2c82a 100644 --- a/apps/settings/lib/SetupChecks/BruteForceThrottler.php +++ b/apps/settings/lib/SetupChecks/BruteForceThrottler.php @@ -53,9 +53,13 @@ class BruteForceThrottler implements ISetupCheck { public function run(): SetupResult { $address = $this->request->getRemoteAddress(); if ($address === '') { - return SetupResult::info( - $this->l10n->t('Your remote address could not be determined.') - ); + if (\OC::$CLI) { + /* We were called from CLI */ + return SetupResult::info('Your remote address could not be determined.'); + } else { + /* Should never happen */ + return SetupResult::error('Your remote address could not be determined.'); + } } elseif ($this->throttler->showBruteforceWarning($address)) { return SetupResult::error( $this->l10n->t('Your remote address was identified as "%s" and is bruteforce throttled at the moment slowing down the performance of various requests. If the remote address is not your address this can be an indication that a proxy is not configured correctly.', $address), diff --git a/apps/settings/lib/SetupChecks/ForwardedForHeaders.php b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php index 5ba966f380b..47ff51ee05e 100644 --- a/apps/settings/lib/SetupChecks/ForwardedForHeaders.php +++ b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php @@ -59,8 +59,13 @@ class ForwardedForHeaders implements ISetupCheck { } if (($remoteAddress === '') && ($this->request->getRemoteAddress() === '')) { - /* Most likely we were called from CLI */ - return SetupResult::info('Your remote address could not be determined.'); + if (\OC::$CLI) { + /* We were called from CLI */ + return SetupResult::info('Your remote address could not be determined.'); + } else { + /* Should never happen */ + return SetupResult::error('Your remote address could not be determined.'); + } } if (empty($trustedProxies) && $this->request->getHeader('X-Forwarded-Host') !== '') { -- cgit v1.2.3 From 1f4e0927ba0fa586830136ff1f40b62a29d6d629 Mon Sep 17 00:00:00 2001 From: Côme Chilliet Date: Mon, 20 Nov 2023 16:12:19 +0100 Subject: Improve success messages for ForwarderForHeaders setup check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- apps/settings/lib/SetupChecks/BruteForceThrottler.php | 4 ++-- apps/settings/lib/SetupChecks/ForwardedForHeaders.php | 11 ++++++----- 2 files changed, 8 insertions(+), 7 deletions(-) (limited to 'apps') diff --git a/apps/settings/lib/SetupChecks/BruteForceThrottler.php b/apps/settings/lib/SetupChecks/BruteForceThrottler.php index 88de5c2c82a..d5d6d42ccba 100644 --- a/apps/settings/lib/SetupChecks/BruteForceThrottler.php +++ b/apps/settings/lib/SetupChecks/BruteForceThrottler.php @@ -55,10 +55,10 @@ class BruteForceThrottler implements ISetupCheck { if ($address === '') { if (\OC::$CLI) { /* We were called from CLI */ - return SetupResult::info('Your remote address could not be determined.'); + return SetupResult::info($this->l10n->t('Your remote address could not be determined.')); } else { /* Should never happen */ - return SetupResult::error('Your remote address could not be determined.'); + return SetupResult::error($this->l10n->t('Your remote address could not be determined.')); } } elseif ($this->throttler->showBruteforceWarning($address)) { return SetupResult::error( diff --git a/apps/settings/lib/SetupChecks/ForwardedForHeaders.php b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php index 47ff51ee05e..fda5f31cee1 100644 --- a/apps/settings/lib/SetupChecks/ForwardedForHeaders.php +++ b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php @@ -53,18 +53,19 @@ class ForwardedForHeaders implements ISetupCheck { public function run(): SetupResult { $trustedProxies = $this->config->getSystemValue('trusted_proxies', []); $remoteAddress = $this->request->getHeader('REMOTE_ADDR'); + $detectedRemoteAddress = $this->request->getRemoteAddress(); if (!\is_array($trustedProxies)) { return SetupResult::error($this->l10n->t('Your trusted_proxies setting is not correctly set, it should be an array.')); } - if (($remoteAddress === '') && ($this->request->getRemoteAddress() === '')) { + if (($remoteAddress === '') && ($detectedRemoteAddress === '')) { if (\OC::$CLI) { /* We were called from CLI */ - return SetupResult::info('Your remote address could not be determined.'); + return SetupResult::info($this->l10n->t('Your remote address could not be determined.')); } else { /* Should never happen */ - return SetupResult::error('Your remote address could not be determined.'); + return SetupResult::error($this->l10n->t('Your remote address could not be determined.')); } } @@ -76,9 +77,9 @@ class ForwardedForHeaders implements ISetupCheck { } if (\in_array($remoteAddress, $trustedProxies, true) && ($remoteAddress !== '127.0.0.1')) { - if ($remoteAddress !== $this->request->getRemoteAddress()) { + if ($remoteAddress !== $detectedRemoteAddress) { /* Remote address was successfuly fixed */ - return SetupResult::success('Working'); + return SetupResult::success($this->l10n->t('Your IP address was resolved as %s', $detectedRemoteAddress)); } else { return SetupResult::warning( $this->l10n->t('The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.'), -- cgit v1.2.3 From ad372869bc803c3540fd8657c4fcb643d3db5b08 Mon Sep 17 00:00:00 2001 From: Côme Chilliet Date: Mon, 20 Nov 2023 18:03:15 +0100 Subject: Fix tests for setupchecks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- apps/settings/lib/SetupChecks/BruteForceThrottler.php | 4 ++-- apps/settings/lib/SetupChecks/ForwardedForHeaders.php | 2 +- apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) (limited to 'apps') diff --git a/apps/settings/lib/SetupChecks/BruteForceThrottler.php b/apps/settings/lib/SetupChecks/BruteForceThrottler.php index d5d6d42ccba..3fbdf2d788a 100644 --- a/apps/settings/lib/SetupChecks/BruteForceThrottler.php +++ b/apps/settings/lib/SetupChecks/BruteForceThrottler.php @@ -62,12 +62,12 @@ class BruteForceThrottler implements ISetupCheck { } } elseif ($this->throttler->showBruteforceWarning($address)) { return SetupResult::error( - $this->l10n->t('Your remote address was identified as "%s" and is bruteforce throttled at the moment slowing down the performance of various requests. If the remote address is not your address this can be an indication that a proxy is not configured correctly.', $address), + $this->l10n->t('Your remote address was identified as "%s" and is bruteforce throttled at the moment slowing down the performance of various requests. If the remote address is not your address this can be an indication that a proxy is not configured correctly.', [$address]), $this->urlGenerator->linkToDocs('admin-reverse-proxy') ); } else { return SetupResult::success( - $this->l10n->t('Your remote address "%s" is not bruteforce throttled.', $address) + $this->l10n->t('Your remote address "%s" is not bruteforce throttled.', [$address]) ); } } diff --git a/apps/settings/lib/SetupChecks/ForwardedForHeaders.php b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php index fda5f31cee1..3572feabb1f 100644 --- a/apps/settings/lib/SetupChecks/ForwardedForHeaders.php +++ b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php @@ -79,7 +79,7 @@ class ForwardedForHeaders implements ISetupCheck { if (\in_array($remoteAddress, $trustedProxies, true) && ($remoteAddress !== '127.0.0.1')) { if ($remoteAddress !== $detectedRemoteAddress) { /* Remote address was successfuly fixed */ - return SetupResult::success($this->l10n->t('Your IP address was resolved as %s', $detectedRemoteAddress)); + return SetupResult::success($this->l10n->t('Your IP address was resolved as %s', [$detectedRemoteAddress])); } else { return SetupResult::warning( $this->l10n->t('The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.'), diff --git a/apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php b/apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php index 9da2bccda79..bacc557490b 100644 --- a/apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php +++ b/apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php @@ -133,7 +133,7 @@ class ForwardedForHeadersTest extends TestCase { ->willReturn('1.1.1.1'); $this->assertEquals( - SetupResult::WARNING, + SetupResult::ERROR, $this->check->run()->getSeverity() ); } -- cgit v1.2.3