upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-04-14 13:38:10 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 12
nextcloud/apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

151 lines
4.5 KiB
PHP
Raw Normal View History

Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-16 16:39:44 -04:00
<?php
fix(dav): Use IRequest constant to match version The pattern matches since a 10 year old client version Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-06-23 03:50:46 -04:00
declare(strict_types=1);
chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
2024-05-28 06:34:11 -04:00
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-16 16:39:44 -04:00
/**
chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
2024-05-28 06:34:11 -04:00
* SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
* SPDX-FileCopyrightText: 2016 ownCloud, Inc.
* SPDX-License-Identifier: AGPL-3.0-only
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-16 16:39:44 -04:00
*/
Update DAV unit tests to PSR-4
2016-05-25 10:04:15 -04:00
namespace OCA\DAV\Tests\unit\Connector\Sabre;
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-16 16:39:44 -04:00
Consolidate webdav code - move all to one app
2015-08-30 13:13:01 -04:00
use OCA\DAV\Connector\Sabre\BlockLegacyClientPlugin;
fix: Adjust unit tests and protect against XSS Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2024-09-06 08:39:32 -04:00
use OCA\Theming\ThemingDefaults;
Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-11-22 14:52:10 -05:00
use OCP\IConfig;
fix(dav): Use IRequest constant to match version The pattern matches since a 10 year old client version Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-06-23 03:50:46 -04:00
use PHPUnit\Framework\MockObject\MockObject;
use Sabre\HTTP\RequestInterface;
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-16 16:39:44 -04:00
use Test\TestCase;
/**
* Class BlockLegacyClientPluginTest
*
Update DAV unit tests to PSR-4
2016-05-25 10:04:15 -04:00
* @package OCA\DAV\Tests\unit\Connector\Sabre
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-16 16:39:44 -04:00
*/
class BlockLegacyClientPluginTest extends TestCase {
fix: Adjust unit tests and protect against XSS Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2024-09-06 08:39:32 -04:00
private IConfig&MockObject $config;
private ThemingDefaults&MockObject $themingDefaults;
private BlockLegacyClientPlugin $blockLegacyClientVersionPlugin;
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-16 16:39:44 -04:00
Mode to modern phpunit Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-11-27 09:27:18 -05:00
protected function setUp(): void {
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-16 16:39:44 -04:00
parent::setUp();
fix(dav): Use IRequest constant to match version The pattern matches since a 10 year old client version Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-06-23 03:50:46 -04:00
$this->config = $this->createMock(IConfig::class);
fix: Adjust unit tests and protect against XSS Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2024-09-06 08:39:32 -04:00
$this->themingDefaults = $this->createMock(ThemingDefaults::class);
$this->blockLegacyClientVersionPlugin = new BlockLegacyClientPlugin(
$this->config,
$this->themingDefaults,
);
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-16 16:39:44 -04:00
}
fix: Adjust unit tests and protect against XSS Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2024-09-06 08:39:32 -04:00
public static function oldDesktopClientProvider(): array {
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-16 16:39:44 -04:00
return [
fix(dav): Use IRequest constant to match version The pattern matches since a 10 year old client version Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-06-23 03:50:46 -04:00
['Mozilla/5.0 (Windows) mirall/1.5.0'],
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-16 16:39:44 -04:00
['Mozilla/5.0 (Bogus Text) mirall/1.6.9'],
];
}
/**
* @dataProvider oldDesktopClientProvider
*/
fix(dav): Use IRequest constant to match version The pattern matches since a 10 year old client version Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-06-23 03:50:46 -04:00
public function testBeforeHandlerException(string $userAgent): void {
Mode to modern phpunit Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-11-27 09:27:18 -05:00
$this->expectException(\Sabre\DAV\Exception\Forbidden::class);
fix(dav): Update 403 error message * The user should get a more friendly warning when their desktop client version is not supported anymore by the server. See #nextcloud/desktop/issues/6273 * Update BlockLegacyClientPluginTest to reflect the new 403 error message. Signed-off-by: Camila Ayres <hello@camilasan.com>
2024-02-02 04:41:43 -05:00
fix: Adjust unit tests and protect against XSS Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2024-09-06 08:39:32 -04:00
$this->themingDefaults
fix(dav): Update 403 error message * The user should get a more friendly warning when their desktop client version is not supported anymore by the server. See #nextcloud/desktop/issues/6273 * Update BlockLegacyClientPluginTest to reflect the new 403 error message. Signed-off-by: Camila Ayres <hello@camilasan.com>
2024-02-02 04:41:43 -05:00
->expects($this->once())
fix: Adjust unit tests and protect against XSS Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2024-09-06 08:39:32 -04:00
->method('getSyncClientUrl')
fix(dav): Update 403 error message * The user should get a more friendly warning when their desktop client version is not supported anymore by the server. See #nextcloud/desktop/issues/6273 * Update BlockLegacyClientPluginTest to reflect the new 403 error message. Signed-off-by: Camila Ayres <hello@camilasan.com>
2024-02-02 04:41:43 -05:00
->willReturn('https://nextcloud.com/install/#install-clients');
$this->config
->expects($this->once())
->method('getSystemValue')
->with('minimum.supported.desktop.version', '2.3.0')
->willReturn('1.7.0');
$this->expectExceptionMessage('This version of the client is unsupported. Upgrade to <a href="https://nextcloud.com/install/#install-clients">version 1.7.0 or later</a>.');
Mode to modern phpunit Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-11-27 09:27:18 -05:00
fix(dav): Use IRequest constant to match version The pattern matches since a 10 year old client version Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-06-23 03:50:46 -04:00
/** @var RequestInterface|MockObject $request */
Fix unit tests for BlockLegacyClientPlugin
2016-10-24 16:38:22 -04:00
$request = $this->createMock('\Sabre\HTTP\RequestInterface');
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-16 16:39:44 -04:00
$request
->expects($this->once())
->method('getHeader')
->with('User-Agent')
Use the shorter phpunit syntax for mocked return values Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-25 17:21:27 -04:00
->willReturn($userAgent);
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-16 16:39:44 -04:00
$this->blockLegacyClientVersionPlugin->beforeHandler($request);
}
fix: Adjust unit tests and protect against XSS Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
2024-09-06 08:39:32 -04:00
/**
* Ensure that there is no room for XSS attack through configured URL / version
* @dataProvider oldDesktopClientProvider
*/
public function testBeforeHandlerExceptionPreventXSSAttack(string $userAgent): void {
$this->expectException(\Sabre\DAV\Exception\Forbidden::class);
$this->themingDefaults
->expects($this->once())
->method('getSyncClientUrl')
->willReturn('https://example.com"><script>alter("hacked");</script>');
$this->config
->expects($this->once())
->method('getSystemValue')
->with('minimum.supported.desktop.version', '2.3.0')
->willReturn('1.7.0 <script>alert("unsafe")</script>');
$this->expectExceptionMessage('This version of the client is unsupported. Upgrade to <a href="https://example.com&quot;&gt;&lt;script&gt;alter(&quot;hacked&quot;);&lt;/script&gt;">version 1.7.0 &lt;script&gt;alert(&quot;unsafe&quot;)&lt;/script&gt; or later</a>.');
/** @var RequestInterface|MockObject $request */
$request = $this->createMock('\Sabre\HTTP\RequestInterface');
$request
->expects($this->once())
->method('getHeader')
->with('User-Agent')
->willReturn($userAgent);
$this->blockLegacyClientVersionPlugin->beforeHandler($request);
}
fix(dav): Use IRequest constant to match version The pattern matches since a 10 year old client version Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-06-23 03:50:46 -04:00
public function newAndAlternateDesktopClientProvider(): array {
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-16 16:39:44 -04:00
return [
fix(dav): Use IRequest constant to match version The pattern matches since a 10 year old client version Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-06-23 03:50:46 -04:00
['Mozilla/5.0 (Windows) mirall/1.7.0'],
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-16 16:39:44 -04:00
['Mozilla/5.0 (Bogus Text) mirall/1.9.3'],
fix(dav): Use IRequest constant to match version The pattern matches since a 10 year old client version Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-06-23 03:50:46 -04:00
['Mozilla/5.0 (Not Our Client But Old Version) LegacySync/1.1.0'],
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-16 16:39:44 -04:00
];
}
/**
* @dataProvider newAndAlternateDesktopClientProvider
*/
fix(dav): Use IRequest constant to match version The pattern matches since a 10 year old client version Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-06-23 03:50:46 -04:00
public function testBeforeHandlerSuccess(string $userAgent): void {
/** @var RequestInterface|MockObject $request */
$request = $this->createMock(RequestInterface::class);
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-16 16:39:44 -04:00
$request
->expects($this->once())
->method('getHeader')
->with('User-Agent')
Use the shorter phpunit syntax for mocked return values Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-25 17:21:27 -04:00
->willReturn($userAgent);
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-16 16:39:44 -04:00
$this->config
->expects($this->once())
->method('getSystemValue')
More fixing Signed-off-by: Joas Schilling <coding@schilljs.com>
2022-11-25 05:46:56 -05:00
->with('minimum.supported.desktop.version', '2.3.0')
Use the shorter phpunit syntax for mocked return values Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-25 17:21:27 -04:00
->willReturn('1.7.0');
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-16 16:39:44 -04:00
$this->blockLegacyClientVersionPlugin->beforeHandler($request);
}
chore(dav): Add void return type to test methods Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2023-01-20 02:38:43 -05:00
public function testBeforeHandlerNoUserAgent(): void {
fix(dav): Use IRequest constant to match version The pattern matches since a 10 year old client version Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-06-23 03:50:46 -04:00
/** @var RequestInterface|MockObject $request */
$request = $this->createMock(RequestInterface::class);
Catch not existing User-Agent header In case of an not sent UA header consider the client as valid
2015-04-23 10:33:51 -04:00
$request
->expects($this->once())
->method('getHeader')
->with('User-Agent')
Use the shorter phpunit syntax for mocked return values Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-25 17:21:27 -04:00
->willReturn(null);
Catch not existing User-Agent header In case of an not sent UA header consider the client as valid
2015-04-23 10:33:51 -04:00
$this->blockLegacyClientVersionPlugin->beforeHandler($request);
}
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-16 16:39:44 -04:00
}
Reference in a new issue Copy permalink