1f7e2ba599
chore: Add SPDX header
...
Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
2024-05-13 17:41:36 +07:00
33e1c8b236
fix(security): Handle idn_to_utf8 returning false
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-12-04 10:38:46 +07:00
aa5f037af7
chore: apply changes from Nextcloud coding standards 1.1.1
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
2023-11-23 10:36:13 +07:00
ecf9f0a872
fix(CSP): Only add `strict-dynamic` when using nonces
...
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2023-11-17 22:01:02 +07:00
e231abd9bf
fix!(ContentSecurityPolicy): Make `strict-dynamic` enabled by default on `script-src-elem`
...
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2023-11-17 14:42:36 +07:00
124588d4a6
fix: Make bypass function public API
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-08-21 16:40:24 +07:00
fd9b2d488e
feat: Expose if the own IP is allowed to bypass bruteforce protection
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-08-21 16:36:04 +07:00
a95800c647
feat(security): Add a bruteforce protection backend base on memcache
...
Similar to the ratelimit backend
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-08-21 16:36:03 +07:00
030e8d8916
fix: Align doc type with creation
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-07-27 23:13:38 +07:00
08a3f37695
chore(appframework)!: Drop \OCP\AppFramework\Http\EmptyContentSecurityPolicy::allowInlineScript
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2023-06-12 10:03:59 +07:00
8d5165e8dc
Adapt tests to config value typing
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2023-04-05 17:42:14 +07:00
c5339fa336
Merge pull request #37542 from nextcloud/bugfix/noid/allow-to-opt-out-of-ratelimit-for-testing
...
feat(security): Allow to opt-out of ratelimit protection, e.g. for te…
2023-04-03 14:19:41 +07:00
454281af03
feat(security): Allow to opt-out of ratelimit protection, e.g. for testing on CI
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-04-03 09:06:45 +07:00
997c2a2a79
fix DBAL exception handling in setValues
...
This seems to be a left over after abstracting DBAL. Nowadays,
IQueryBuilder::executeStatement() only throws a \OCP\DB\Exception, where
previously original DBAL exceptions where thrown. These are now wrapped,
the orignal classes are now mapped to a reason.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2023-03-31 17:01:17 +07:00
f5c361cf44
composer run cs:fix
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2023-01-20 11:45:08 +07:00
0f7e56b3b3
Fix syntax in VerificationTokenTest.php
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2022-11-15 09:25:56 +07:00
70e2217d1c
Fix dynamic properties and other problems in tests for PHP 8.2
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2022-11-14 16:14:35 +07:00
8aea25b5b9
Add remote host validation API
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2022-10-31 16:13:28 +07:00
6f80fe6ada
Remove deprecated at matcher from tests/lib
...
Only 15 warnings left in there
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2022-08-29 16:36:40 +07:00
01dbd22c9c
Validate requested length is random string generator
...
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
2022-05-12 13:58:18 +07:00
18c013d8fc
Add CSP policy merge priority for booleans
...
When two booleans conflict when merging CSP policies, true will win.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
2022-04-01 13:56:34 +07:00
61f7f13bd8
Migrate from ILogger to LoggerInterface where needed in the tests
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2022-03-24 16:21:26 +07:00
bd03dd37be
Allow to set a strict-dynamic CSP through the API
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2022-03-09 15:10:27 +07:00
6312c0df69
Check style update
...
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
2022-01-13 00:19:07 +07:00
f01ad7b8d8
Improve normalizer detecting IPv4 inside of IPv6
...
The subnet for an IPv4 address inside of IPv6 is now returned in its
IPv4 form.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
2021-11-22 16:46:25 +07:00
7e08a4ab15
Fix getting subnet of ipv4 mapped ipv6 addresses
...
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
2021-11-22 14:10:11 +07:00
c42f5bc5f6
Add an OCP for trusted domain helper
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2021-10-28 10:24:16 +07:00
9161f6ca4a
Remove tests that just prove mocked calls and don't actually validate anything useful
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2021-09-27 14:24:48 +07:00
0dcc5c0e9f
Merge pull request #28728 from nextcloud/add-database-backend-limiter
...
Add database ratelimiting backend
2021-09-13 13:07:37 +07:00
a20de15b43
add a job to clean up expired verification tokens
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2021-09-09 14:03:35 +07:00
19cc757531
move verification token logic out of lost password controller
...
- to make it reusable
- needed for local email verification
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2021-09-09 14:03:29 +07:00
6337bb3f59
Adjust tests
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2021-09-06 17:46:02 +07:00
378cc922c4
Adjust logic to store period instead of current timestamp
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2021-09-06 17:31:36 +07:00
ee3dc57cbd
Merge pull request #26626 from J0WI/strict-security
...
Make Security module strict
2021-05-18 08:43:13 +07:00
2a11713337
Update CredentialsManagerTest.php
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2021-04-21 08:33:10 +07:00
c6978bac80
Fix security credentials manager test
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2021-04-20 17:04:24 +07:00
ca7b37ce5a
Make Security module strict
...
Signed-off-by: J0WI <J0WI@users.noreply.github.com>
2021-04-19 17:31:12 +07:00
e5a4236e68
Increase subnet matcher
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2021-04-07 12:28:59 +07:00
eb502c02ff
Bump nextcloud/coding-standard from 0.3.0 to 0.5.0
...
Bumps [nextcloud/coding-standard](https://github.com/nextcloud/coding-standard ) from 0.3.0 to 0.5.0.
- [Release notes](https://github.com/nextcloud/coding-standard/releases )
- [Changelog](https://github.com/nextcloud/coding-standard/blob/master/CHANGELOG.md )
- [Commits](https://github.com/nextcloud/coding-standard/compare/v0.3.0...v0.5.0 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2021-02-18 13:31:24 +07:00
8b64e92b92
Bump doctrine/dbal from 2.12.0 to 3.0.0
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2021-01-08 11:45:19 +07:00
dc479aae2d
Improve CertificateManager to not be user context dependent
...
* removes the ability for users to import their own certificates (for external storage)
* reliably returns the same certificate bundles system wide (and not depending on the user context and available sessions)
The user specific certificates were broken in some cases anyways, as they are only loaded if the specific user is logged in and thus causing unexpected behavior for background jobs and other non-user triggered code paths.
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-11-03 00:13:01 +07:00
a3bdb0c4cb
Implement unit tests for versions 1 and 2.
...
Signed-off-by: lynn-stephenson <lynn.stephenson@protonmail.com>
2020-10-15 21:23:24 +07:00
d9015a8c94
Format code to a single space around binary operators
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-10-05 20:25:24 +07:00
c25063dc07
Don't break when the IP is empty
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-09-10 14:20:27 +07:00
234b510652
Change PHPDoc type hint from PHPUnit_Framework_MockObject_MockObject to \PHPUnit\Framework\MockObject\MockObject
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-08-12 13:55:19 +07:00
35ff4aa1c6
Use random_bytes
...
Since we don't care if it is human readbale.
The code is backwards compatible with the old format.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-05-11 12:46:59 +07:00
ad60619655
Fix Argon2 options checks
...
The minimum for memory cost is 8 KiB per thread. Threads must be checked and set first to allow checking against the correct memory cost mimimum.
Options are now applied the following way:
- If config.php contains the setting with an integer higher or equal to the minimum, it is applied.
- If config.php contains the setting with an integer lower than the minimum, the minimum is applied.
- If config.php does not contain the setting or with no integer value, the PHP default is applied.
Signed-off-by: MichaIng <micha@dietpi.com>
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-04-30 10:18:46 +07:00
5437844b7e
fix credentialsManager documentation and ensure userId to be used as string
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2020-04-15 19:34:23 +07:00
f6cb452037
add DB tests for credentials manager
...
these are actually expected to FAIL, because NULL as a userid is not
allowed in the schema, but documented to be used on the source
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2020-04-15 16:44:28 +07:00
1584c9ae9c
Add visibility to all methods and position of static keyword
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-10 16:51:06 +07:00
Andy Scherzinger
Joas Schilling
Ferdinand Thiessen
Christoph Wurst
Côme Chilliet
Joas Schilling
Arthur Schiwon
Vincent Petry
Julius Härtl
Carl Schwan
Lukas Reschke
Roeland Jago Douma
J0WI
dependabot-preview[bot]
Morris Jobke
lynn-stephenson
Roeland Jago Douma
MichaIng