Mirrors
/
nextcloud-server
mirror of https://github.com/nextcloud/server
3
0
Fork 0
Code Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
40011 Commits
632 Branches
1167 Tags
3.9 GiB
Tree: f93a82b8b0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f93a82b8b0'
${ noResults }
nextcloud-server/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php

268 lines
9.4 KiB
Raw Normal View History

initial import of appframework
13 years ago
Fix others
10 years ago
Update license headers
11 years ago
Update license headers
10 years ago
Update license headers
11 years ago
Fix others
10 years ago
Update license headers
10 years ago
Update license headers
11 years ago
initial import of appframework
13 years ago
Update license headers
11 years ago
initial import of appframework
13 years ago
Update license headers
11 years ago
initial import of appframework
13 years ago
Update license headers
11 years ago
initial import of appframework
13 years ago
Update license headers
11 years ago
initial import of appframework
13 years ago
Update license headers
11 years ago
initial import of appframework
13 years ago
Revert "Updating license headers" This reverts commit 6a1a4880f0d556fb090f19a5019fec31916f5c36.
11 years ago
Move to dedicated MiddleWare Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
initial import of appframework
13 years ago
Fix inconsistent nameing of AppFramework
10 years ago
Introduce PasswordConfirmRequired annotation Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
Fix inconsistent nameing of AppFramework
10 years ago
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
implement most of the basic stuff that was suggested in #8290
12 years ago
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
Add support for CSP nonces CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
Add trict CSP to OCS responses If a repsonse now explicitly has the Empty CSP set then the middleware won't touch it.
9 years ago
make download and redirectresponse public
12 years ago
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
Make abstract Middleware class public It doesn't make sense for subclasses to have to implement all methods.
12 years ago
moving response classes over to OCP
13 years ago
Dark hackery to not always disable CSRF for OCS controllers
10 years ago
fix 8757, get rid of service locator antipattern
12 years ago
Introduce PasswordConfirmRequired annotation Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
fix 8757, get rid of service locator antipattern
12 years ago
fixing SecurityMiddleware to use OC6 API
12 years ago
fix 8757, get rid of service locator antipattern
12 years ago
Check if app is enabled for user Fixes https://github.com/owncloud/core/issues/12188 for AppFramework apps
11 years ago
Move CSRF check Because we're closing the session now before controllers are executed there are cases where we cannot write the session.
11 years ago
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
initial import of appframework
13 years ago
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
fix 8757, get rid of service locator antipattern
12 years ago
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
initial import of appframework
13 years ago
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
add private property for reflector in security middleware
12 years ago
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
fix 8757, get rid of service locator antipattern
12 years ago
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
fix 8757, get rid of service locator antipattern
12 years ago
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
fix 8757, get rid of service locator antipattern
12 years ago
Introduce PasswordConfirmRequired annotation Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
Move to dedicated MiddleWare Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
fix 8757, get rid of service locator antipattern
12 years ago
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
Add support for CSP nonces CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
add private property for reflector in security middleware
12 years ago
initial import of appframework
13 years ago
fixing SecurityMiddleware to use OC6 API
12 years ago
implement most of the basic stuff that was suggested in #8290
12 years ago
fix 8757, get rid of service locator antipattern
12 years ago
Introduce PasswordConfirmRequired annotation Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
fix 8757, get rid of service locator antipattern
12 years ago
Move to dedicated MiddleWare Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
fix 8757, get rid of service locator antipattern
12 years ago
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
Add support for CSP nonces CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
initial import of appframework
13 years ago
fix 8757, get rid of service locator antipattern
12 years ago
Return proper status code in case of a CORS exception When returning a 500 statuscode external applications may interpret this as an error instead of handling this more gracefully. This will now make return a 401 thus. Fixes https://github.com/owncloud/core/issues/17742
11 years ago
Introduce PasswordConfirmRequired annotation Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
Return proper status code in case of a CORS exception When returning a 500 statuscode external applications may interpret this as an error instead of handling this more gracefully. This will now make return a 401 thus. Fixes https://github.com/owncloud/core/issues/17742
11 years ago
Move to dedicated MiddleWare Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
Add support for CSP nonces CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
fix 8757, get rid of service locator antipattern
12 years ago
initial import of appframework
13 years ago
implement most of the basic stuff that was suggested in #8290
12 years ago
fix 8757, get rid of service locator antipattern
12 years ago
Introduce PasswordConfirmRequired annotation Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
Move to dedicated MiddleWare Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
fix 8757, get rid of service locator antipattern
12 years ago
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
Add support for CSP nonces CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
initial import of appframework
13 years ago
Dark hackery to not always disable CSRF for OCS controllers
10 years ago
initial import of appframework
13 years ago
Remove explicit type hints for Controller This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
initial import of appframework
13 years ago
fix 8757, get rid of service locator antipattern
12 years ago
initial import of appframework
13 years ago
implement most of the basic stuff that was suggested in #8290
12 years ago
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
13 years ago
Move to dedicated MiddleWare Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
initial import of appframework
13 years ago
implement most of the basic stuff that was suggested in #8290
12 years ago
fix 8757, get rid of service locator antipattern
12 years ago
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
reducing controller annotations to: @PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
13 years ago
initial import of appframework
13 years ago
Introduce PasswordConfirmRequired annotation Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
Add the 15 seconds to the window, instead of removing Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
Introduce PasswordConfirmRequired annotation Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
Move CSRF check Because we're closing the session now before controllers are executed there are cases where we cannot write the session.
11 years ago
implement most of the basic stuff that was suggested in #8290
12 years ago
Dark hackery to not always disable CSRF for OCS controllers
10 years ago
We should properly check for 'true' instaed of the bool
10 years ago
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
initial import of appframework
13 years ago
Check if app is enabled for user Fixes https://github.com/owncloud/core/issues/12188 for AppFramework apps
11 years ago
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
Check if app is enabled for user Fixes https://github.com/owncloud/core/issues/12188 for AppFramework apps
11 years ago
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
Check if app is enabled for user Fixes https://github.com/owncloud/core/issues/12188 for AppFramework apps
11 years ago
Move to dedicated MiddleWare Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
initial import of appframework
13 years ago
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
Remove explicit type hints for Controller This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
Add trict CSP to OCS responses If a repsonse now explicitly has the Empty CSP set then the middleware won't touch it.
9 years ago
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
9 years ago
Add support for CSP nonces CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
10 years ago
initial import of appframework
13 years ago
lib: Fix typos (found by codespell) Signed-off-by: Stefan Weil <sw@weilnetz.de>
10 years ago
initial import of appframework
13 years ago
Remove explicit type hints for Controller This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50
10 years ago
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
initial import of appframework
13 years ago
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
Check whether the $_SERVER['REQUEST_*'] vars exist before using them Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
initial import of appframework
13 years ago
Show error template Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
10 years ago
initial import of appframework
13 years ago
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2016, ownCloud, Inc.
  4. *
  5. * @author Bernhard Posselt <dev@bernhard-posselt.com>
  6. * @author Lukas Reschke <lukas@statuscode.ch>
  7. * @author Morris Jobke <hey@morrisjobke.de>
  8. * @author Roeland Jago Douma <roeland@famdouma.nl>
  9. * @author Stefan Weil <sw@weilnetz.de>
  10. * @author Thomas Müller <thomas.mueller@tmit.eu>
  11. * @author Thomas Tanghus <thomas@tanghus.net>
  12. *
  13. * @license AGPL-3.0
  14. *
  15. * This code is free software: you can redistribute it and/or modify
  16. * it under the terms of the GNU Affero General Public License, version 3,
  17. * as published by the Free Software Foundation.
  18. *
  19. * This program is distributed in the hope that it will be useful,
  20. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  21. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  22. * GNU Affero General Public License for more details.
  23. *
  24. * You should have received a copy of the GNU Affero General Public License, version 3,
  25. * along with this program. If not, see <http://www.gnu.org/licenses/>
  26. *
  27. */
  30. namespace OC\AppFramework\Middleware\Security;
  32. use OC\AppFramework\Middleware\Security\Exceptions\AppNotEnabledException;
  33. use OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException;
  34. use OC\AppFramework\Middleware\Security\Exceptions\NotAdminException;
  35. use OC\AppFramework\Middleware\Security\Exceptions\NotConfirmedException;
  36. use OC\AppFramework\Middleware\Security\Exceptions\NotLoggedInException;
  37. use OC\AppFramework\Middleware\Security\Exceptions\StrictCookieMissingException;
  38. use OC\AppFramework\Utility\ControllerMethodReflector;
  39. use OC\Security\CSP\ContentSecurityPolicyManager;
  40. use OC\Security\CSP\ContentSecurityPolicyNonceManager;
  41. use OC\Security\CSRF\CsrfTokenManager;
  42. use OCP\AppFramework\Http\ContentSecurityPolicy;
  43. use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
  44. use OCP\AppFramework\Http\RedirectResponse;
  45. use OCP\AppFramework\Http\TemplateResponse;
  46. use OCP\AppFramework\Middleware;
  47. use OCP\AppFramework\Http\Response;
  48. use OCP\AppFramework\Http\JSONResponse;
  49. use OCP\AppFramework\OCSController;
  50. use OCP\INavigationManager;
  51. use OCP\ISession;
  52. use OCP\IURLGenerator;
  53. use OCP\IRequest;
  54. use OCP\ILogger;
  55. use OCP\AppFramework\Controller;
  56. use OCP\Util;
  57. use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
  59. /**
  60. * Used to do all the authentication and checking stuff for a controller method
  61. * It reads out the annotations of a controller method and checks which if
  62. * security things should be checked and also handles errors in case a security
  63. * check fails
  64. */
  65. class SecurityMiddleware extends Middleware {
  66. /** @var INavigationManager */
  67. private $navigationManager;
  68. /** @var IRequest */
  69. private $request;
  70. /** @var ControllerMethodReflector */
  71. private $reflector;
  72. /** @var string */
  73. private $appName;
  74. /** @var IURLGenerator */
  75. private $urlGenerator;
  76. /** @var ILogger */
  77. private $logger;
  78. /** @var ISession */
  79. private $session;
  80. /** @var bool */
  81. private $isLoggedIn;
  82. /** @var bool */
  83. private $isAdminUser;
  84. /** @var ContentSecurityPolicyManager */
  85. private $contentSecurityPolicyManager;
  86. /** @var CsrfTokenManager */
  87. private $csrfTokenManager;
  88. /** @var ContentSecurityPolicyNonceManager */
  89. private $cspNonceManager;
  91. /**
  92. * @param IRequest $request
  93. * @param ControllerMethodReflector $reflector
  94. * @param INavigationManager $navigationManager
  95. * @param IURLGenerator $urlGenerator
  96. * @param ILogger $logger
  97. * @param ISession $session
  98. * @param string $appName
  99. * @param bool $isLoggedIn
  100. * @param bool $isAdminUser
  101. * @param ContentSecurityPolicyManager $contentSecurityPolicyManager
  102. * @param CSRFTokenManager $csrfTokenManager
  103. * @param ContentSecurityPolicyNonceManager $cspNonceManager
  104. */
  105. public function __construct(IRequest $request,
  106. ControllerMethodReflector $reflector,
  107. INavigationManager $navigationManager,
  108. IURLGenerator $urlGenerator,
  109. ILogger $logger,
  110. ISession $session,
  111. $appName,
  112. $isLoggedIn,
  113. $isAdminUser,
  114. ContentSecurityPolicyManager $contentSecurityPolicyManager,
  115. CsrfTokenManager $csrfTokenManager,
  116. ContentSecurityPolicyNonceManager $cspNonceManager) {
  117. $this->navigationManager = $navigationManager;
  118. $this->request = $request;
  119. $this->reflector = $reflector;
  120. $this->appName = $appName;
  121. $this->urlGenerator = $urlGenerator;
  122. $this->logger = $logger;
  123. $this->session = $session;
  124. $this->isLoggedIn = $isLoggedIn;
  125. $this->isAdminUser = $isAdminUser;
  126. $this->contentSecurityPolicyManager = $contentSecurityPolicyManager;
  127. $this->csrfTokenManager = $csrfTokenManager;
  128. $this->cspNonceManager = $cspNonceManager;
  129. }
  131. /**
  132. * This runs all the security checks before a method call. The
  133. * security checks are determined by inspecting the controller method
  134. * annotations
  135. * @param Controller $controller the controller
  136. * @param string $methodName the name of the method
  137. * @throws SecurityException when a security check fails
  138. */
  139. public function beforeController($controller, $methodName) {
  141. // this will set the current navigation entry of the app, use this only
  142. // for normal HTML requests and not for AJAX requests
  143. $this->navigationManager->setActiveEntry($this->appName);
  145. // security checks
  146. $isPublicPage = $this->reflector->hasAnnotation('PublicPage');
  147. if(!$isPublicPage) {
  148. if(!$this->isLoggedIn) {
  149. throw new NotLoggedInException();
  150. }
  152. if(!$this->reflector->hasAnnotation('NoAdminRequired')) {
  153. if(!$this->isAdminUser) {
  154. throw new NotAdminException();
  155. }
  156. }
  157. }
  159. if ($this->reflector->hasAnnotation('PasswordConfirmationRequired')) {
  160. $lastConfirm = (int) $this->session->get('last-password-confirm');
  161. if ($lastConfirm < (time() - (30 * 60 + 15))) { // allow 15 seconds delay
  162. throw new NotConfirmedException();
  163. }
  164. }
  166. // Check for strict cookie requirement
  167. if($this->reflector->hasAnnotation('StrictCookieRequired') || !$this->reflector->hasAnnotation('NoCSRFRequired')) {
  168. if(!$this->request->passesStrictCookieCheck()) {
  169. throw new StrictCookieMissingException();
  170. }
  171. }
  172. // CSRF check - also registers the CSRF token since the session may be closed later
  173. Util::callRegister();
  174. if(!$this->reflector->hasAnnotation('NoCSRFRequired')) {
  175. /*
  176. * Only allow the CSRF check to fail on OCS Requests. This kind of
  177. * hacks around that we have no full token auth in place yet and we
  178. * do want to offer CSRF checks for web requests.
  179. */
  180. if(!$this->request->passesCSRFCheck() && !(
  181. $controller instanceof OCSController &&
  182. $this->request->getHeader('OCS-APIREQUEST') === 'true')) {
  183. throw new CrossSiteRequestForgeryException();
  184. }
  185. }
  187. /**
  188. * FIXME: Use DI once available
  189. * Checks if app is enabled (also includes a check whether user is allowed to access the resource)
  190. * The getAppPath() check is here since components such as settings also use the AppFramework and
  191. * therefore won't pass this check.
  192. */
  193. if(\OC_App::getAppPath($this->appName) !== false && !\OC_App::isEnabled($this->appName)) {
  194. throw new AppNotEnabledException();
  195. }
  197. }
  199. /**
  200. * Performs the default CSP modifications that may be injected by other
  201. * applications
  202. *
  203. * @param Controller $controller
  204. * @param string $methodName
  205. * @param Response $response
  206. * @return Response
  207. */
  208. public function afterController($controller, $methodName, Response $response) {
  209. $policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy();
  211. if (get_class($policy) === EmptyContentSecurityPolicy::class) {
  212. return $response;
  213. }
  215. $defaultPolicy = $this->contentSecurityPolicyManager->getDefaultPolicy();
  216. $defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy);
  218. if($this->cspNonceManager->browserSupportsCspV3()) {
  219. $defaultPolicy->useJsNonce($this->csrfTokenManager->getToken()->getEncryptedValue());
  220. }
  222. $response->setContentSecurityPolicy($defaultPolicy);
  224. return $response;
  225. }
  227. /**
  228. * If an SecurityException is being caught, ajax requests return a JSON error
  229. * response and non ajax requests redirect to the index
  230. * @param Controller $controller the controller that is being called
  231. * @param string $methodName the name of the method that will be called on
  232. * the controller
  233. * @param \Exception $exception the thrown exception
  234. * @throws \Exception the passed in exception if it can't handle it
  235. * @return Response a Response object or null in case that the exception could not be handled
  236. */
  237. public function afterException($controller, $methodName, \Exception $exception) {
  238. if($exception instanceof SecurityException) {
  239. if($exception instanceof StrictCookieMissingException) {
  240. return new RedirectResponse(\OC::$WEBROOT);
  241. }
  242. if (stripos($this->request->getHeader('Accept'),'html') === false) {
  243. $response = new JSONResponse(
  244. array('message' => $exception->getMessage()),
  245. $exception->getCode()
  246. );
  247. } else {
  248. if($exception instanceof NotLoggedInException) {
  249. $params = [];
  250. if (isset($this->request->server['REQUEST_URI'])) {
  251. $params['redirect_url'] = $this->request->server['REQUEST_URI'];
  252. }
  253. $url = $this->urlGenerator->linkToRoute('core.login.showLoginForm', $params);
  254. $response = new RedirectResponse($url);
  255. } else {
  256. $response = new TemplateResponse('core', '403', ['file' => $exception->getMessage()], 'guest');
  257. $response->setStatus($exception->getCode());
  258. }
  259. }
  261. $this->logger->debug($exception->getMessage());
  262. return $response;
  263. }
  265. throw $exception;
  266. }
  268. }