Sākums Izpētīt Palīdzība
Pierakstīties
RISCI_ATOM
/
nextcloud-server
spogulis no https://github.com/nextcloud/server.git
1
0
Atdalīts 0
Faili Problēmas 23 Vikivietne
Koks: 36e2e889ab
Atzari Tagi
nextcloud-serve...
/
lib
/
private
/
AppFramework
/
Middleware
/
Security
/
CORSMiddleware.php

CORSMiddleware.php 6.4 KB
Vēsture Neapstrādāts

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175 
  1. <?php
    2. 

  2. 

  3. /**
    4. 

  4.  * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
    5. 

  5.  * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
    6. 

  6.  * SPDX-License-Identifier: AGPL-3.0-only
    7. 

  7.  */
    8. 

  8. namespace OC\AppFramework\Middleware\Security;
    9. 

  9. 

  10. use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
    11. 

  11. use OC\AppFramework\Utility\ControllerMethodReflector;
    12. 

  12. use OC\Authentication\Exceptions\PasswordLoginForbiddenException;
    13. 

  13. use OC\User\Session;
    14. 

  14. use OCP\AppFramework\Controller;
    15. 

  15. use OCP\AppFramework\Http;
    16. 

  16. use OCP\AppFramework\Http\Attribute\CORS;
    17. 

  17. use OCP\AppFramework\Http\Attribute\PublicPage;
    18. 

  18. use OCP\AppFramework\Http\JSONResponse;
    19. 

  19. use OCP\AppFramework\Http\Response;
    20. 

  20. use OCP\AppFramework\Middleware;
    21. 

  21. use OCP\IRequest;
    22. 

  22. use OCP\ISession;
    23. 

  23. use OCP\Security\Bruteforce\IThrottler;
    24. 

  24. use Psr\Log\LoggerInterface;
    25. 

  25. use ReflectionMethod;
    26. 

  26. 

  27. /**
    28. 

  28.  * This middleware sets the correct CORS headers on a response if the
    29. 

  29.  * controller has the @CORS annotation. This is needed for webapps that want
    30. 

  30.  * to access an API and don't run on the same domain, see
    31. 

  31.  * https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
    32. 

  32.  */
    33. 

  33. class CORSMiddleware extends Middleware {
    34. 

  34. 	/** @var IRequest */
    35. 

  35. 	private $request;
    36. 

  36. 	/** @var ControllerMethodReflector */
    37. 

  37. 	private $reflector;
    38. 

  38. 	/** @var Session */
    39. 

  39. 	private $session;
    40. 

  40. 	/** @var IThrottler */
    41. 

  41. 	private $throttler;
    42. 

  42. 

  43. 	public function __construct(
    44. 

  44. 		IRequest $request,
    45. 

  45. 		ControllerMethodReflector $reflector,
    46. 

  46. 		Session $session,
    47. 

  47. 		IThrottler $throttler,
    48. 

  48. 		private readonly LoggerInterface $logger,
    49. 

  49. 	) {
    50. 

  50. 		$this->request = $request;
    51. 

  51. 		$this->reflector = $reflector;
    52. 

  52. 		$this->session = $session;
    53. 

  53. 		$this->throttler = $throttler;
    54. 

  54. 	}
    55. 

  55. 

  56. 	/**
    57. 

  57. 	 * This is being run in normal order before the controller is being
    58. 

  58. 	 * called which allows several modifications and checks
    59. 

  59. 	 *
    60. 

  60. 	 * @param Controller $controller the controller that is being called
    61. 

  61. 	 * @param string $methodName the name of the method that will be called on
    62. 

  62. 	 *                           the controller
    63. 

  63. 	 * @throws SecurityException
    64. 

  64. 	 * @since 6.0.0
    65. 

  65. 	 */
    66. 

  66. 	public function beforeController($controller, $methodName) {
    67. 

  67. 		$reflectionMethod = new ReflectionMethod($controller, $methodName);
    68. 

  68. 

  69. 		// ensure that @CORS annotated API routes are not used in conjunction
    70. 

  70. 		// with session authentication since this enables CSRF attack vectors
    71. 

  71. 		if ($this->hasAnnotationOrAttribute($reflectionMethod, 'CORS', CORS::class) &&
    72. 

  72. 			(!$this->hasAnnotationOrAttribute($reflectionMethod, 'PublicPage', PublicPage::class) || $this->session->isLoggedIn())) {
    73. 

  73. 			$user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
    74. 

  74. 			$pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;
    75. 

  75. 

  76. 			// Allow to use the current session if a CSRF token is provided
    77. 

  77. 			if ($this->request->passesCSRFCheck()) {
    78. 

  78. 				return;
    79. 

  79. 			}
    80. 

  80. 			// Skip CORS check for requests with AppAPI auth.
    81. 

  81. 			if ($this->session->getSession() instanceof ISession && $this->session->getSession()->get('app_api') === true) {
    82. 

  82. 				return;
    83. 

  83. 			}
    84. 

  84. 			$this->session->logout();
    85. 

  85. 			try {
    86. 

  86. 				if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
    87. 

  87. 					throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
    88. 

  88. 				}
    89. 

  89. 			} catch (PasswordLoginForbiddenException $ex) {
    90. 

  90. 				throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED);
    91. 

  91. 			}
    92. 

  92. 		}
    93. 

  93. 	}
    94. 

  94. 

  95. 	/**
    96. 

  96. 	 * @template T
    97. 

  97. 	 *
    98. 

  98. 	 * @param ReflectionMethod $reflectionMethod
    99. 

  99. 	 * @param string $annotationName
    100. 

  100. 	 * @param class-string<T> $attributeClass
    101. 

  101. 	 * @return boolean
    102. 

  102. 	 */
    103. 

  103. 	protected function hasAnnotationOrAttribute(ReflectionMethod $reflectionMethod, string $annotationName, string $attributeClass): bool {
    104. 

  104. 		if ($this->reflector->hasAnnotation($annotationName)) {
    105. 

  105. 			$this->logger->debug($reflectionMethod->getDeclaringClass()->getName() . '::' . $reflectionMethod->getName() . ' uses the @' . $annotationName . ' annotation and should use the #[' . $attributeClass . '] attribute instead');
    106. 

  106. 			return true;
    107. 

  107. 		}
    108. 

  108. 

  109. 

  110. 		if (!empty($reflectionMethod->getAttributes($attributeClass))) {
    111. 

  111. 			return true;
    112. 

  112. 		}
    113. 

  113. 

  114. 		return false;
    115. 

  115. 	}
    116. 

  116. 

  117. 	/**
    118. 

  118. 	 * This is being run after a successful controller method call and allows
    119. 

  119. 	 * the manipulation of a Response object. The middleware is run in reverse order
    120. 

  120. 	 *
    121. 

  121. 	 * @param Controller $controller the controller that is being called
    122. 

  122. 	 * @param string $methodName the name of the method that will be called on
    123. 

  123. 	 *                           the controller
    124. 

  124. 	 * @param Response $response the generated response from the controller
    125. 

  125. 	 * @return Response a Response object
    126. 

  126. 	 * @throws SecurityException
    127. 

  127. 	 */
    128. 

  128. 	public function afterController($controller, $methodName, Response $response) {
    129. 

  129. 		// only react if it's a CORS request and if the request sends origin and
    130. 

  130. 

  131. 		if (isset($this->request->server['HTTP_ORIGIN'])) {
    132. 

  132. 			$reflectionMethod = new ReflectionMethod($controller, $methodName);
    133. 

  133. 			if ($this->hasAnnotationOrAttribute($reflectionMethod, 'CORS', CORS::class)) {
    134. 

  134. 				// allow credentials headers must not be true or CSRF is possible
    135. 

  135. 				// otherwise
    136. 

  136. 				foreach ($response->getHeaders() as $header => $value) {
    137. 

  137. 					if (strtolower($header) === 'access-control-allow-credentials' &&
    138. 

  138. 					   strtolower(trim($value)) === 'true') {
    139. 

  139. 						$msg = 'Access-Control-Allow-Credentials must not be ' .
    140. 

  140. 							   'set to true in order to prevent CSRF';
    141. 

  141. 						throw new SecurityException($msg);
    142. 

  142. 					}
    143. 

  143. 				}
    144. 

  144. 

  145. 				$origin = $this->request->server['HTTP_ORIGIN'];
    146. 

  146. 				$response->addHeader('Access-Control-Allow-Origin', $origin);
    147. 

  147. 			}
    148. 

  148. 		}
    149. 

  149. 		return $response;
    150. 

  150. 	}
    151. 

  151. 

  152. 	/**
    153. 

  153. 	 * If an SecurityException is being caught return a JSON error response
    154. 

  154. 	 *
    155. 

  155. 	 * @param Controller $controller the controller that is being called
    156. 

  156. 	 * @param string $methodName the name of the method that will be called on
    157. 

  157. 	 *                           the controller
    158. 

  158. 	 * @param \Exception $exception the thrown exception
    159. 

  159. 	 * @throws \Exception the passed in exception if it can't handle it
    160. 

  160. 	 * @return Response a Response object or null in case that the exception could not be handled
    161. 

  161. 	 */
    162. 

  162. 	public function afterException($controller, $methodName, \Exception $exception) {
    163. 

  163. 		if ($exception instanceof SecurityException) {
    164. 

  164. 			$response = new JSONResponse(['message' => $exception->getMessage()]);
    165. 

  165. 			if ($exception->getCode() !== 0) {
    166. 

  166. 				$response->setStatus($exception->getCode());
    167. 

  167. 			} else {
    168. 

  168. 				$response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR);
    169. 

  169. 			}
    170. 

  170. 			return $response;
    171. 

  171. 		}
    172. 

  172. 

  173. 		throw $exception;
    174. 

  174. 	}
    175. 

  175. }
    176.