fix(appmanager): Fix tainted file path when loading appinfos

Signed-off-by: Joas Schilling <coding@schilljs.com>
1 year ago · 07449847e1
6 changed files with 38 additions and 29 deletions
--- a/build/psalm-baseline-security.xml
+++ b/build/psalm-baseline-security.xml
@ -22,11 +22,6 @@
      <code><![CDATA['Location: ' . \OC::$WEBROOT . '/']]></code>
    </TaintedHeader>
  </file>
-  <file src="lib/private/App/InfoParser.php">
-    <TaintedFile>
-      <code><![CDATA[$file]]></code>
-    </TaintedFile>
-  </file>
  <file src="lib/private/AppFramework/Utility/SimpleContainer.php">
    <TaintedCallable>
      <code><![CDATA[$name]]></code>
--- a/build/psalm-baseline.xml
+++ b/build/psalm-baseline.xml
@ -2750,10 +2750,6 @@
    <NullArgument>
      <code><![CDATA[null]]></code>
    </NullArgument>
-    <TypeDoesNotContainNull>
-      <code><![CDATA[$appId === null]]></code>
-      <code><![CDATA[$appId === null]]></code>
-    </TypeDoesNotContainNull>
  </file>
  <file src="lib/private/legacy/OC_Helper.php">
    <InvalidArrayOffset>
--- a/lib/private/App/AppManager.php
+++ b/lib/private/App/AppManager.php
@ -744,30 +744,39 @@ class AppManager implements IAppManager {
 	 */
 	public function getAppInfo(string $appId, bool $path = false, $lang = null) {
 		if ($path) {
-			$file = $appId;
-		} else {
-			if ($lang === null && isset($this->appInfos[$appId])) {
-				return $this->appInfos[$appId];
-			}
-			try {
-				$appPath = $this->getAppPath($appId);
-			} catch (AppPathNotFoundException $e) {
-				return null;
-			}
-			$file = $appPath . '/appinfo/info.xml';
+			throw new \InvalidArgumentException('Calling IAppManager::getAppInfo() with a path is no longer supported. Please call IAppManager::getAppInfoByPath() instead and verify that the path is good before calling.');
+		}
+		if ($lang === null && isset($this->appInfos[$appId])) {
+			return $this->appInfos[$appId];
+		}
+		try {
+			$appPath = $this->getAppPath($appId);
+		} catch (AppPathNotFoundException) {
+			return null;
+		}
+		$file = $appPath . '/appinfo/info.xml';
+
+		$data = $this->getAppInfoByPath($file, $lang);
+
+		if ($lang === null) {
+			$this->appInfos[$appId] = $data;
+		}
+
+		return $data;
+	}
+
+	public function getAppInfoByPath(string $path, ?string $lang = null): ?array {
+		if (!str_ends_with($path, '/appinfo/info.xml')) {
+			return null;
 		}

 		$parser = new InfoParser($this->memCacheFactory->createLocal('core.appinfo'));
-		$data = $parser->parse($file);
+		$data = $parser->parse($path);

 		if (is_array($data)) {
 			$data = \OC_App::parseAppInfo($data, $lang);
 		}

-		if ($lang === null) {
-			$this->appInfos[$appId] = $data;
-		}
-
 		return $data;
 	}

--- a/lib/private/Installer.php
+++ b/lib/private/Installer.php
@ -65,7 +65,7 @@ class Installer {
 		}

 		$l = \OCP\Util::getL10N('core');
-		$info = \OCP\Server::get(IAppManager::class)->getAppInfo($basedir . '/appinfo/info.xml', true, $l->getLanguageCode());
+		$info = \OCP\Server::get(IAppManager::class)->getAppInfoByPath($basedir . '/appinfo/info.xml', $l->getLanguageCode());

 		if (!is_array($info)) {
 			throw new \Exception(
--- a/lib/private/legacy/OC_App.php
+++ b/lib/private/legacy/OC_App.php
@ -313,7 +313,8 @@ class OC_App {
 	 * @deprecated 11.0.0 use \OCP\Server::get(IAppManager)->getAppPath()
 	 */
 	public static function getAppPath(string $appId, bool $refreshAppPath = false) {
-		if ($appId === null || trim($appId) === '') {
+		$appId = self::cleanAppId($appId);
+		if ($appId === '') {
 			return false;
 		}

@ -346,7 +347,7 @@ class OC_App {
 	 */
 	public static function getAppVersionByPath(string $path): string {
 		$infoFile = $path . '/appinfo/info.xml';
-		$appData = \OC::$server->getAppManager()->getAppInfo($infoFile, true);
+		$appData = \OCP\Server::get(IAppManager::class)->getAppInfoByPath($infoFile);
 		return $appData['version'] ?? '';
 	}

--- a/lib/public/App/IAppManager.php
+++ b/lib/public/App/IAppManager.php
@ -25,14 +25,22 @@ interface IAppManager {
 	public const BACKEND_CALDAV = 'caldav';

 	/**
-	 * Returns the app information from "appinfo/info.xml".
+	 * Returns the app information from "appinfo/info.xml" for an app
 	 *
 	 * @param string|null $lang
 	 * @return array|null
 	 * @since 14.0.0
+	 * @since 31.0.0 Usage of $path is discontinued and throws an \InvalidArgumentException, use {@see self::getAppInfoByPath} instead.
 	 */
 	public function getAppInfo(string $appId, bool $path = false, $lang = null);

+	/**
+	 * Returns the app information from a given path ending with "/appinfo/info.xml"
+	 *
+	 * @since 31.0.0
+	 */
+	public function getAppInfoByPath(string $path, ?string $lang = null): ?array;
+
 	/**
 	 * Returns the app information from "appinfo/info.xml".
 	 *