upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-09 00:32:29 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 35

fix: Fix psalm taint false-positive by escaping trusted input

Browse source 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
This commit is contained in:
Côme Chilliet 2025-02-17 14:28:30 +01:00
parent fa108d5b54
commit 7c907223d2
No known key found for this signature in database
GPG key ID: A3E2F658B28C760A
2 changed files with 11 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
build/psalm-baseline-security.xml
View file

@ -49,12 +49,4 @@
<code><![CDATA[$column]]></code>
</TaintedSql>
</file>
<file src="lib/public/IDBConnection.php">
<TaintedSql>
<code><![CDATA[$sql]]></code>
<code><![CDATA[$sql]]></code>
<code><![CDATA[$sql]]></code>
<code><![CDATA[$sql]]></code>
</TaintedSql>
</file>
</files>

22
lib/private/Setup/MySQL.php
View file

@ -59,7 +59,7 @@ class MySQL extends AbstractDatabase {
/**
* @param \OC\DB\Connection $connection
*/
private function createDatabase($connection) {
private function createDatabase($connection): void {
try {
$name = $this->dbName;
$user = $this->dbUser;
@ -91,7 +91,7 @@ class MySQL extends AbstractDatabase {
* @param IDBConnection $connection
* @throws \OC\DatabaseSetupException
*/
private function createDBUser($connection) {
private function createDBUser($connection): void {
try {
$name = $this->dbUser;
$password = $this->dbPassword;
@ -99,15 +99,15 @@ class MySQL extends AbstractDatabase {
// the anonymous user would take precedence when there is one.
if ($connection->getDatabasePlatform() instanceof Mysql80Platform) {
$query = "CREATE USER '$name'@'localhost' IDENTIFIED WITH mysql_native_password BY '$password'";
$connection->executeUpdate($query);
$query = "CREATE USER '$name'@'%' IDENTIFIED WITH mysql_native_password BY '$password'";
$connection->executeUpdate($query);
$query = "CREATE USER ?@'localhost' IDENTIFIED WITH mysql_native_password BY ?";
$connection->executeUpdate($query, [$name,$password]);
$query = "CREATE USER ?@'%' IDENTIFIED WITH mysql_native_password BY ?";
$connection->executeUpdate($query, [$name,$password]);
} else {
$query = "CREATE USER '$name'@'localhost' IDENTIFIED BY '$password'";
$connection->executeUpdate($query);
$query = "CREATE USER '$name'@'%' IDENTIFIED BY '$password'";
$connection->executeUpdate($query);
$query = "CREATE USER ?@'localhost' IDENTIFIED BY ?";
$connection->executeUpdate($query, [$name,$password]);
$query = "CREATE USER ?@'%' IDENTIFIED BY ?";
$connection->executeUpdate($query, [$name,$password]);
}
} catch (\Exception $ex) {
$this->logger->error('Database user creation failed.', [
@ -119,7 +119,7 @@ class MySQL extends AbstractDatabase {
}
/**
* @param $username
* @param string $username
* @param IDBConnection $connection
*/
private function createSpecificUser($username, $connection): void {