upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-19 13:39:40 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 50

feat(ocm-add-share): add validation to detect idn homograph attacks

Browse source 
Signed-off-by: Cristian Scheid <cristianscheid@gmail.com>
This commit is contained in:
Cristian Scheid 2026-06-15 13:34:35 -03:00 committed by backportbot[bot]
parent 5ae0ed355e
commit b6064a64c1
1 changed files with 22 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
apps/cloud_federation_api/lib/Controller/RequestHandlerController.php
View file

@ -180,6 +180,28 @@ class RequestHandlerController extends Controller {
$sharedByDisplayName = $ownerDisplayName;
}
$ownerDomain = str_contains($owner, '@') ? substr(strrchr($owner, '@'), 1) : null;
$sharedByDomain = str_contains($sharedBy, '@') ? substr(strrchr($sharedBy, '@'), 1) : null;
$domainsToCheck = array_unique(array_filter([$ownerDomain, $sharedByDomain]));
if (count($domainsToCheck) !== 0) {
$spoofChecker = new \Spoofchecker();
foreach ($domainsToCheck as $domain) {
// detect suspicious chars (e.g. "pаypаl" spelled with Cyrillic "а" characters)
// see https://www.php.net/manual/en/spoofchecker.issuspicious.php
if ($spoofChecker->isSuspicious($domain)) {
$response = new JSONResponse(
[
'message' => 'Suspicious domain detected on owner or sharedBy field',
'validationErrors' => [],
],
Http::STATUS_BAD_REQUEST
);
$response->throttle();
return $response;
}
}
}
try {
$provider = $this->cloudFederationProviderManager->getCloudFederationProvider($resourceType);
$share = $this->factory->getCloudFederationShare($shareWith, $name, $description, $providerId, $owner, $ownerDisplayName, $sharedBy, $sharedByDisplayName, '', $shareType, $resourceType);