ExceptionSerializer.php 7.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301
  1. <?php
  2. /**
  3. * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors
  4. * SPDX-License-Identifier: AGPL-3.0-or-later
  5. */
  6. namespace OC\Log;
  7. use OC\Core\Controller\SetupController;
  8. use OC\Http\Client\Client;
  9. use OC\Security\IdentityProof\Key;
  10. use OC\Setup;
  11. use OC\SystemConfig;
  12. use OCA\Encryption\Controller\RecoveryController;
  13. use OCA\Encryption\Controller\SettingsController;
  14. use OCA\Encryption\Crypto\Crypt;
  15. use OCA\Encryption\Crypto\Encryption;
  16. use OCA\Encryption\Hooks\UserHooks;
  17. use OCA\Encryption\KeyManager;
  18. use OCA\Encryption\Session;
  19. use OCP\HintException;
  20. class ExceptionSerializer {
  21. public const SENSITIVE_VALUE_PLACEHOLDER = '*** sensitive parameters replaced ***';
  22. public const methodsWithSensitiveParameters = [
  23. // Session/User
  24. 'completeLogin',
  25. 'login',
  26. 'checkPassword',
  27. 'checkPasswordNoLogging',
  28. 'loginWithPassword',
  29. 'updatePrivateKeyPassword',
  30. 'validateUserPass',
  31. 'loginWithToken',
  32. '{closure}',
  33. 'createSessionToken',
  34. // Provisioning
  35. 'addUser',
  36. // TokenProvider
  37. 'getToken',
  38. 'isTokenPassword',
  39. 'getPassword',
  40. 'decryptPassword',
  41. 'logClientIn',
  42. 'generateToken',
  43. 'validateToken',
  44. // TwoFactorAuth
  45. 'solveChallenge',
  46. 'verifyChallenge',
  47. // ICrypto
  48. 'calculateHMAC',
  49. 'encrypt',
  50. 'decrypt',
  51. // LoginController
  52. 'tryLogin',
  53. 'confirmPassword',
  54. // LDAP
  55. 'bind',
  56. 'areCredentialsValid',
  57. 'invokeLDAPMethod',
  58. // Encryption
  59. 'storeKeyPair',
  60. 'setupUser',
  61. 'checkSignature',
  62. // files_external: OCA\Files_External\MountConfig
  63. 'getBackendStatus',
  64. // files_external: UserStoragesController
  65. 'update',
  66. // Preview providers, don't log big data strings
  67. 'imagecreatefromstring',
  68. // text: PublicSessionController, SessionController and ApiService
  69. 'create',
  70. 'close',
  71. 'push',
  72. 'sync',
  73. 'updateSession',
  74. 'mention',
  75. 'loginSessionUser',
  76. ];
  77. public function __construct(
  78. private SystemConfig $systemConfig,
  79. ) {
  80. }
  81. protected array $methodsWithSensitiveParametersByClass = [
  82. SetupController::class => [
  83. 'run',
  84. 'display',
  85. 'loadAutoConfig',
  86. ],
  87. Setup::class => [
  88. 'install'
  89. ],
  90. Key::class => [
  91. '__construct'
  92. ],
  93. Client::class => [
  94. 'request',
  95. 'delete',
  96. 'deleteAsync',
  97. 'get',
  98. 'getAsync',
  99. 'head',
  100. 'headAsync',
  101. 'options',
  102. 'optionsAsync',
  103. 'patch',
  104. 'post',
  105. 'postAsync',
  106. 'put',
  107. 'putAsync',
  108. ],
  109. \Redis::class => [
  110. 'auth'
  111. ],
  112. \RedisCluster::class => [
  113. '__construct'
  114. ],
  115. Crypt::class => [
  116. 'symmetricEncryptFileContent',
  117. 'encrypt',
  118. 'generatePasswordHash',
  119. 'encryptPrivateKey',
  120. 'decryptPrivateKey',
  121. 'isValidPrivateKey',
  122. 'symmetricDecryptFileContent',
  123. 'checkSignature',
  124. 'createSignature',
  125. 'decrypt',
  126. 'multiKeyDecrypt',
  127. 'multiKeyEncrypt',
  128. ],
  129. RecoveryController::class => [
  130. 'adminRecovery',
  131. 'changeRecoveryPassword'
  132. ],
  133. SettingsController::class => [
  134. 'updatePrivateKeyPassword',
  135. ],
  136. Encryption::class => [
  137. 'encrypt',
  138. 'decrypt',
  139. ],
  140. KeyManager::class => [
  141. 'checkRecoveryPassword',
  142. 'storeKeyPair',
  143. 'setRecoveryKey',
  144. 'setPrivateKey',
  145. 'setFileKey',
  146. 'setAllFileKeys',
  147. ],
  148. Session::class => [
  149. 'setPrivateKey',
  150. 'prepareDecryptAll',
  151. ],
  152. \OCA\Encryption\Users\Setup::class => [
  153. 'setupUser',
  154. ],
  155. UserHooks::class => [
  156. 'login',
  157. 'postCreateUser',
  158. 'postDeleteUser',
  159. 'prePasswordReset',
  160. 'postPasswordReset',
  161. 'preSetPassphrase',
  162. 'setPassphrase',
  163. ],
  164. ];
  165. private function editTrace(array &$sensitiveValues, array $traceLine): array {
  166. if (isset($traceLine['args'])) {
  167. $sensitiveValues = array_merge($sensitiveValues, $traceLine['args']);
  168. }
  169. $traceLine['args'] = [self::SENSITIVE_VALUE_PLACEHOLDER];
  170. return $traceLine;
  171. }
  172. private function filterTrace(array $trace) {
  173. $sensitiveValues = [];
  174. $trace = array_map(function (array $traceLine) use (&$sensitiveValues) {
  175. $className = $traceLine['class'] ?? '';
  176. if ($className && isset($this->methodsWithSensitiveParametersByClass[$className])
  177. && in_array($traceLine['function'], $this->methodsWithSensitiveParametersByClass[$className], true)) {
  178. return $this->editTrace($sensitiveValues, $traceLine);
  179. }
  180. foreach (self::methodsWithSensitiveParameters as $sensitiveMethod) {
  181. if (str_contains($traceLine['function'], $sensitiveMethod)) {
  182. return $this->editTrace($sensitiveValues, $traceLine);
  183. }
  184. }
  185. return $traceLine;
  186. }, $trace);
  187. return array_map(function (array $traceLine) use ($sensitiveValues) {
  188. if (isset($traceLine['args'])) {
  189. $traceLine['args'] = $this->removeValuesFromArgs($traceLine['args'], $sensitiveValues);
  190. }
  191. return $traceLine;
  192. }, $trace);
  193. }
  194. private function removeValuesFromArgs($args, $values): array {
  195. $workArgs = [];
  196. foreach ($args as $key => $arg) {
  197. if (in_array($arg, $values, true)) {
  198. $arg = self::SENSITIVE_VALUE_PLACEHOLDER;
  199. } elseif (is_array($arg)) {
  200. $arg = $this->removeValuesFromArgs($arg, $values);
  201. }
  202. $workArgs[$key] = $arg;
  203. }
  204. return $workArgs;
  205. }
  206. private function encodeTrace($trace) {
  207. $trace = array_map(function (array $line) {
  208. if (isset($line['args'])) {
  209. $line['args'] = array_map([$this, 'encodeArg'], $line['args']);
  210. }
  211. return $line;
  212. }, $trace);
  213. return $this->filterTrace($trace);
  214. }
  215. private function encodeArg($arg, $nestingLevel = 5) {
  216. if (is_object($arg)) {
  217. if ($nestingLevel === 0) {
  218. return [
  219. '__class__' => get_class($arg),
  220. '__properties__' => 'Encoding skipped as the maximum nesting level was reached',
  221. ];
  222. }
  223. $objectInfo = [ '__class__' => get_class($arg) ];
  224. $objectVars = get_object_vars($arg);
  225. return array_map(function ($arg) use ($nestingLevel) {
  226. return $this->encodeArg($arg, $nestingLevel - 1);
  227. }, array_merge($objectInfo, $objectVars));
  228. }
  229. if (is_array($arg)) {
  230. if ($nestingLevel === 0) {
  231. return ['Encoding skipped as the maximum nesting level was reached'];
  232. }
  233. // Only log the first 5 elements of an array unless we are on debug
  234. if ((int)$this->systemConfig->getValue('loglevel', 2) !== 0) {
  235. $elemCount = count($arg);
  236. if ($elemCount > 5) {
  237. $arg = array_slice($arg, 0, 5);
  238. $arg[] = 'And ' . ($elemCount - 5) . ' more entries, set log level to debug to see all entries';
  239. }
  240. }
  241. return array_map(function ($e) use ($nestingLevel) {
  242. return $this->encodeArg($e, $nestingLevel - 1);
  243. }, $arg);
  244. }
  245. return $arg;
  246. }
  247. public function serializeException(\Throwable $exception): array {
  248. $data = [
  249. 'Exception' => get_class($exception),
  250. 'Message' => $exception->getMessage(),
  251. 'Code' => $exception->getCode(),
  252. 'Trace' => $this->encodeTrace($exception->getTrace()),
  253. 'File' => $exception->getFile(),
  254. 'Line' => $exception->getLine(),
  255. ];
  256. if ($exception instanceof HintException) {
  257. $data['Hint'] = $exception->getHint();
  258. }
  259. if ($exception->getPrevious()) {
  260. $data['Previous'] = $this->serializeException($exception->getPrevious());
  261. }
  262. return $data;
  263. }
  264. public function enlistSensitiveMethods(string $class, array $methods): void {
  265. if (!isset($this->methodsWithSensitiveParametersByClass[$class])) {
  266. $this->methodsWithSensitiveParametersByClass[$class] = [];
  267. }
  268. $this->methodsWithSensitiveParametersByClass[$class] = array_merge($this->methodsWithSensitiveParametersByClass[$class], $methods);
  269. }
  270. }