9d1705259c
fix(AppFramework): Allow requests with OCS-APIRequest header to pass CSRF checks
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-07-25 17:31:49 +07:00
047479ccf9
feat(security): Add public API to allow validating IP Ranges and checking for "in range"
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
2024-07-19 16:28:03 +07:00
202e5b1e95
feat(security): restrict admin actions to IP ranges
...
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
2024-07-19 16:28:03 +07:00
e5dcdfb9e0
feat(Security): Warn about using annotations instead of attributes
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-07-18 11:25:32 +07:00
5aefdc399e
feat(AppFramework): Add ExAppRequired attribute
...
Signed-off-by: provokateurin <kate@provokateurin.de>
2024-07-01 14:41:20 +07:00
f6d6efef3a
refactor(Token): introduce scope constants
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2024-06-05 19:01:14 +07:00
340939e688
fix(Session): avoid password confirmation on SSO
...
SSO backends like SAML and OIDC tried a trick to suppress password
confirmations as they are not possible by design. At least for SAML it was
not reliable when existing user backends where used as user repositories.
Now we are setting a special scope with the token, and also make sure that
the scope is taken over when tokens are regenerated.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2024-06-05 19:01:13 +07:00
1f7e2ba599
chore: Add SPDX header
...
Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
2024-05-13 17:41:36 +07:00
a0be3ffdf2
fix: Fix tests following OC_App migrations to IAppManager
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2024-04-22 12:21:55 +07:00
f3a4abd98c
fix: add check for app_api_system session flag to bypass rate limit
...
Signed-off-by: Florian Klinger <florian.klinger@nextcloud.com>
Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com>
2024-03-18 20:09:15 +07:00
747aeded9d
fix xml ocs response for serializable objects
...
Signed-off-by: sualko <klaus@jsxc.org>
Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
2024-02-23 14:49:22 +07:00
9ed3ab7d87
test(request): Add tests to strip the port when forwarding requests
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2024-02-13 16:51:13 +07:00
6434ce96c9
Add timezone getter to ITimeFactory
...
Signed-off-by: Anna Larch <anna@nextcloud.com>
2024-02-13 13:29:06 +07:00
31c1bc1c62
better tests
...
Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
2024-02-01 13:40:27 +07:00
1956be4118
fix lint
...
Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
2024-01-31 21:13:32 +07:00
e1d7328bb2
adding test
...
Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
2024-01-31 21:13:32 +07:00
216b95f8b1
test(unit): fix RequestTest
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2024-01-27 15:11:26 +07:00
f6b6776c93
fix(API): Use a distinct exception so apps can react to it and customize the return
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-11-28 06:11:57 +07:00
3fa43a529b
enh(dispatcher): enforce psalm ranges in the http dispatcher
...
- allows devs to provide int ranges for API arguments
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2023-11-24 12:46:38 +07:00
aa5f037af7
chore: apply changes from Nextcloud coding standards 1.1.1
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
2023-11-23 10:36:13 +07:00
ecf9f0a872
fix(CSP): Only add `strict-dynamic` when using nonces
...
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2023-11-17 22:01:02 +07:00
e231abd9bf
fix!(ContentSecurityPolicy): Make `strict-dynamic` enabled by default on `script-src-elem`
...
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2023-11-17 14:42:36 +07:00
7df9eb3351
feat(ContentSecurityPolicy): Allow to set `strict-dynamic` on `script-src-elem` only
...
This adds the possibility to set `strict-dynamic` on `script-src-elem` only while keep the default rules for `script-src`.
The idea is to allow loading module js which imports other files and thus does not allow nonces on import but on the initial script tag.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2023-11-17 11:12:57 +07:00
2fa78f6245
Reverse X-Forwarded-For list to read the correct proxy remote address
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-11-16 07:45:19 +07:00
78842348b2
feat(dependencyinjection): Allow optional (nullable) services
...
Allows working with classes that might or might not be available.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2023-11-03 11:53:43 +07:00
154a9989a7
Merge pull request #39852 from nextcloud/pragmaHeader
...
Stop sending deprecated Pragma header
2023-10-18 03:30:21 +07:00
25309bcb45
techdebt(DI): Use public IThrottler interface which exists since Nextcloud 25
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-08-28 15:50:45 +07:00
066f6ef16c
Stop sending deprecated Pragma header
...
Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>
2023-08-28 15:11:22 +07:00
41f2d912d2
Allow "wasm-unsafe-eval" in CSP
...
If a page has a Content Security Policy header and the `script-src` (or
`default-src`) directive does not contain neither `wasm-unsafe-eval` nor
`unsafe-eval` loading and executing WebAssembly is blocked in the page
(although it is still possible to load and execute WebAssembly in a
worker thread).
Although the Nextcloud classes to manage the CSP already supported
allowing `unsafe-eval` this affects not only WebAssembly, but also the
`eval` operation in JavaScript.
To make possible to allow WebAssembly execution without allowing
JavaScript `eval` this commit adds support for allowing
`wasm-unsafe-eval`.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
2023-08-10 02:38:41 +07:00
1b387bb341
fix!: Remove legacy event dispatching Symfony's GenericEvent from AdditionalScripts
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-07-27 09:57:52 +07:00
2c6f32cb28
feat(request): Allow to match the client version with the IRequest::USER_AGENT_* regex
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-07-11 07:35:50 +07:00
b0001c6010
Add template types to responses
...
Signed-off-by: jld3103 <jld3103yt@gmail.com>
2023-06-30 09:33:29 +07:00
7f4651637a
Allow stdClass in XML responses
...
Signed-off-by: jld3103 <jld3103yt@gmail.com>
2023-06-13 11:44:47 +07:00
08a3f37695
chore(appframework)!: Drop \OCP\AppFramework\Http\EmptyContentSecurityPolicy::allowInlineScript
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2023-06-12 10:03:59 +07:00
3a6bc7aba2
fix(middleware): Also abort the request when reaching max delay in afterController
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-05-15 16:20:19 +07:00
ecb8b55c5c
feat(security): Add PHP \Attribute for remaining security annotations
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-04-25 14:50:32 +07:00
89c3c31402
feat(ratelimit): Add Attributes support to rate limit middleware
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-04-24 12:24:48 +07:00
b294edad80
Merge branch 'master' into enh/type-iconfig-getter-calls
...
Signed-off-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com>
2023-04-20 16:52:38 +07:00
2c0cfd3772
feat(app-framework): Add native argument types for middleware
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2023-04-18 17:15:05 +07:00
8d5165e8dc
Adapt tests to config value typing
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2023-04-05 17:42:14 +07:00
2b49861679
Add a debug message when throttling without defining
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-03-08 12:09:22 +07:00
e839eb9b5c
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-03-08 12:09:22 +07:00
c297f8ee96
feat(appframework): ⌚ Make ITimeFactory extend \PSR\Clock\ClockInterface
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-03-03 15:37:13 +07:00
90d2cb09b1
Merge pull request #36396 from nextcloud/fix/cors
2023-02-17 09:42:08 +07:00
f655f83c84
fix(CORS): CORS should only be bypassed on `PublicPage` if not logged in to prevent CSRF attack vectors
...
Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>
2023-02-16 22:55:18 +07:00
5f90b8eb11
Change X-Robots-Tag header from "none" to "noindex, nofollow"
...
While "none" is indeed equivalent to "noindex, nofollow" for Google, but seems to be not supported by Bing and probably other search engines.
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta/name#other_metadata_names
https://developers.google.com/search/docs/crawling-indexing/robots-meta-tag?hl=de#comma-separated-list
https://www.bing.com/webmasters/help/which-robots-metatags-does-bing-support-5198d240
Signed-off-by: MichaIng <micha@dietpi.com>
2023-02-15 20:16:51 +07:00
b911da3e1e
DI for Router
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2023-02-13 22:51:14 +07:00
ba8a50c059
fix: Throw `NotFoundExceptionInterface` to fulfill PSR container interface if class not found
...
Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>
2023-02-06 14:16:35 +07:00
20e00cdf17
feat(app-framework): Add UseSession attribute to replace annotation
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2023-01-27 09:40:35 +07:00
8d9af3e262
feat(app-framework): Add support for global middlewares
...
This allows apps to register middlewares that always register, not just
for the app's own requests
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2023-01-26 11:54:28 +07:00
provokateurin
Joas Schilling
Benjamin Gaussorgues
Arthur Schiwon
Andy Scherzinger
Côme Chilliet
Florian Klinger
Klaus
Anna Larch
Maxence Lange
Ferdinand Thiessen
Christoph Wurst
Git'Fellow
Daniel Calviño Sánchez
jld3103
Côme Chilliet
Julius Härtl
Ferdinand Thiessen
MichaIng
Robin Appelman