mirror of
https://github.com/nextcloud/server.git
synced 2026-04-15 22:11:17 -04:00
Merge pull request #46193 from nextcloud/fix/limit-vcard-size
fix(carddav): limit vcard size
This commit is contained in:
Richard Steinmetz
GitHub
commit
a8e581ca94
6 changed files with 119 additions and 0 deletions
|
|
@ -11,6 +11,7 @@ use OCA\DAV\AppInfo\PluginManager;
|
|||
use OCA\DAV\CardDAV\AddressBookRoot;
|
||||
use OCA\DAV\CardDAV\CardDavBackend;
|
||||
use OCA\DAV\CardDAV\Security\CardDavRateLimitingPlugin;
|
||||
use OCA\DAV\CardDAV\Validation\CardDavValidatePlugin;
|
||||
use OCA\DAV\Connector\LegacyDAVACL;
|
||||
use OCA\DAV\Connector\Sabre\Auth;
|
||||
use OCA\DAV\Connector\Sabre\ExceptionLoggerPlugin;
|
||||
|
|
@ -89,6 +90,7 @@ $server->addPlugin(new \OCA\DAV\CardDAV\ImageExportPlugin(new \OCA\DAV\CardDAV\P
|
|||
)));
|
||||
$server->addPlugin(new ExceptionLoggerPlugin('carddav', \OC::$server->get(LoggerInterface::class)));
|
||||
$server->addPlugin(\OCP\Server::get(CardDavRateLimitingPlugin::class));
|
||||
$server->addPlugin(\OCP\Server::get(CardDavValidatePlugin::class));
|
||||
|
||||
// And off we go!
|
||||
$server->exec();
|
||||
|
|
|
|||
|
|
@ -141,6 +141,7 @@ return array(
|
|||
'OCA\\DAV\\CardDAV\\SyncService' => $baseDir . '/../lib/CardDAV/SyncService.php',
|
||||
'OCA\\DAV\\CardDAV\\SystemAddressbook' => $baseDir . '/../lib/CardDAV/SystemAddressbook.php',
|
||||
'OCA\\DAV\\CardDAV\\UserAddressBooks' => $baseDir . '/../lib/CardDAV/UserAddressBooks.php',
|
||||
'OCA\\DAV\\CardDAV\\Validation\\CardDavValidatePlugin' => $baseDir . '/../lib/CardDAV/Validation/CardDavValidatePlugin.php',
|
||||
'OCA\\DAV\\CardDAV\\Xml\\Groups' => $baseDir . '/../lib/CardDAV/Xml/Groups.php',
|
||||
'OCA\\DAV\\Command\\CreateAddressBook' => $baseDir . '/../lib/Command/CreateAddressBook.php',
|
||||
'OCA\\DAV\\Command\\CreateCalendar' => $baseDir . '/../lib/Command/CreateCalendar.php',
|
||||
|
|
|
|||
|
|
@ -156,6 +156,7 @@ class ComposerStaticInitDAV
|
|||
'OCA\\DAV\\CardDAV\\SyncService' => __DIR__ . '/..' . '/../lib/CardDAV/SyncService.php',
|
||||
'OCA\\DAV\\CardDAV\\SystemAddressbook' => __DIR__ . '/..' . '/../lib/CardDAV/SystemAddressbook.php',
|
||||
'OCA\\DAV\\CardDAV\\UserAddressBooks' => __DIR__ . '/..' . '/../lib/CardDAV/UserAddressBooks.php',
|
||||
'OCA\\DAV\\CardDAV\\Validation\\CardDavValidatePlugin' => __DIR__ . '/..' . '/../lib/CardDAV/Validation/CardDavValidatePlugin.php',
|
||||
'OCA\\DAV\\CardDAV\\Xml\\Groups' => __DIR__ . '/..' . '/../lib/CardDAV/Xml/Groups.php',
|
||||
'OCA\\DAV\\Command\\CreateAddressBook' => __DIR__ . '/..' . '/../lib/Command/CreateAddressBook.php',
|
||||
'OCA\\DAV\\Command\\CreateCalendar' => __DIR__ . '/..' . '/../lib/Command/CreateCalendar.php',
|
||||
|
|
|
|||
40
apps/dav/lib/CardDAV/Validation/CardDavValidatePlugin.php
Normal file
40
apps/dav/lib/CardDAV/Validation/CardDavValidatePlugin.php
Normal file
|
|
@ -0,0 +1,40 @@
|
|||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
|
||||
* SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
*/
|
||||
namespace OCA\DAV\CardDAV\Validation;
|
||||
|
||||
use OCA\DAV\AppInfo\Application;
|
||||
use OCP\IAppConfig;
|
||||
use Sabre\DAV\Exception\Forbidden;
|
||||
use Sabre\DAV\Server;
|
||||
use Sabre\DAV\ServerPlugin;
|
||||
use Sabre\HTTP\RequestInterface;
|
||||
use Sabre\HTTP\ResponseInterface;
|
||||
|
||||
class CardDavValidatePlugin extends ServerPlugin {
|
||||
|
||||
public function __construct(
|
||||
private IAppConfig $config
|
||||
) {
|
||||
}
|
||||
|
||||
public function initialize(Server $server): void {
|
||||
$server->on('beforeMethod:PUT', [$this, 'beforePut']);
|
||||
}
|
||||
|
||||
public function beforePut(RequestInterface $request, ResponseInterface $response): bool {
|
||||
// evaluate if card size exceeds defined limit
|
||||
$cardSizeLimit = $this->config->getValueInt(Application::APP_ID, 'card_size_limit', 5242880);
|
||||
if ((int) $request->getRawServerValue('CONTENT_LENGTH') > $cardSizeLimit) {
|
||||
throw new Forbidden("VCard object exceeds $cardSizeLimit bytes");
|
||||
}
|
||||
// all tests passed return true
|
||||
return true;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -16,6 +16,7 @@ use OCA\DAV\CardDAV\ImageExportPlugin;
|
|||
use OCA\DAV\CardDAV\MultiGetExportPlugin;
|
||||
use OCA\DAV\CardDAV\PhotoCache;
|
||||
use OCA\DAV\CardDAV\Security\CardDavRateLimitingPlugin;
|
||||
use OCA\DAV\CardDAV\Validation\CardDavValidatePlugin;
|
||||
use OCA\DAV\Comments\CommentsPlugin;
|
||||
use OCA\DAV\Connector\Sabre\AnonymousOptionsPlugin;
|
||||
use OCA\DAV\Connector\Sabre\Auth;
|
||||
|
|
@ -181,6 +182,7 @@ class Server {
|
|||
));
|
||||
|
||||
$this->server->addPlugin(\OCP\Server::get(CardDavRateLimitingPlugin::class));
|
||||
$this->server->addPlugin(\OCP\Server::get(CardDavValidatePlugin::class));
|
||||
}
|
||||
|
||||
// system tags plugins
|
||||
|
|
|
|||
|
|
@ -0,0 +1,73 @@
|
|||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
|
||||
* SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
*/
|
||||
|
||||
namespace OCA\DAV\Tests\unit\CardDAV\Validation;
|
||||
|
||||
use OCA\DAV\CardDAV\Validation\CardDavValidatePlugin;
|
||||
use OCP\IAppConfig;
|
||||
use PHPUnit\Framework\MockObject\MockObject;
|
||||
use Sabre\DAV\Exception\Forbidden;
|
||||
use Sabre\HTTP\RequestInterface;
|
||||
use Sabre\HTTP\ResponseInterface;
|
||||
use Test\TestCase;
|
||||
|
||||
class CardDavValidatePluginTest extends TestCase {
|
||||
|
||||
private CardDavValidatePlugin $plugin;
|
||||
private IAppConfig|MockObject $config;
|
||||
private RequestInterface|MockObject $request;
|
||||
private ResponseInterface|MockObject $response;
|
||||
|
||||
protected function setUp(): void {
|
||||
parent::setUp();
|
||||
// construct mock objects
|
||||
$this->config = $this->createMock(IAppConfig::class);
|
||||
$this->request = $this->createMock(RequestInterface::class);
|
||||
$this->response = $this->createMock(ResponseInterface::class);
|
||||
$this->plugin = new CardDavValidatePlugin(
|
||||
$this->config,
|
||||
);
|
||||
}
|
||||
|
||||
public function testPutSizeLessThenLimit(): void {
|
||||
|
||||
// construct method responses
|
||||
$this->config
|
||||
->method('getValueInt')
|
||||
->with('dav', 'card_size_limit', 5242880)
|
||||
->willReturn(5242880);
|
||||
$this->request
|
||||
->method('getRawServerValue')
|
||||
->with('CONTENT_LENGTH')
|
||||
->willReturn('1024');
|
||||
// test condition
|
||||
$this->assertTrue(
|
||||
$this->plugin->beforePut($this->request, $this->response)
|
||||
);
|
||||
|
||||
}
|
||||
|
||||
public function testPutSizeMoreThenLimit(): void {
|
||||
|
||||
// construct method responses
|
||||
$this->config
|
||||
->method('getValueInt')
|
||||
->with('dav', 'card_size_limit', 5242880)
|
||||
->willReturn(5242880);
|
||||
$this->request
|
||||
->method('getRawServerValue')
|
||||
->with('CONTENT_LENGTH')
|
||||
->willReturn('6242880');
|
||||
$this->expectException(Forbidden::class);
|
||||
// test condition
|
||||
$this->plugin->beforePut($this->request, $this->response);
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
Loading…
Reference in a new issue