fix: use empty() to check if header exists#40856

DeepDiver1975 · 2023-07-03T08:49:23Z

Description

Related Issue

Fixes <issue_link>

Motivation and Context

How Has This Been Tested?

test environment:
test case 1:
test case 2:
...

Screenshots (if appropriate):

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Database schema changes (next release will require increase of minor version instead of patch)
Breaking change (fix or feature that would cause existing functionality to change)
Technical debt
Tests only (no source changes)

Checklist:

update-docs · 2023-07-03T08:49:27Z

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

ownclouders · 2023-07-04T11:29:25Z

💥 Acceptance tests pipeline apiAuthOcs-maria10.2-php7.4 failed. The build has been cancelled.

https://drone.owncloud.com/owncloud/core/38672/39

DeepDiver1975 · 2023-07-07T07:26:58Z

boom Acceptance tests pipeline apiAuthOcs-maria10.2-php7.4 failed. The build has been cancelled.

Tests are failing because the request token is missing in this scenario.

/ocs/v1.php/apps/files_sharing/api/v1/shares and /ocs/v1.php/privatedata/getattribute don't have the @NoCSRFRequired annotation while the others have it

As per our implemenation guidelines in the past we never require CSRF on GET - why it is done in this case is to be analysed ....

DeepDiver1975 · 2023-07-07T07:33:14Z

refs 3b4027f

jvillafanez

I assume the new NoCSRFRequired tags are needed, but I'm not sure... any quick confirmation?. The rest looks good.

jvillafanez · 2023-07-12T13:01:58Z

lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php

 		Util::callRegister();
 		if (!$this->reflector->hasAnnotation('NoCSRFRequired')) {
-			if (!$this->request->passesCSRFCheck() && $this->request->getHeader("Authorization") === null) {
+			$hasNoAuthHeader = empty($this->request->getHeader("Authorization"));


Authorization: 0 would through the exception. I guess this is ok since it's weird for "0" to be a valid value for the authorization header.

good catch - I always forget about these php weirdness ...
.... but yes - I'd consider 0 to be an invalid value ;-)

DeepDiver1975 · 2023-07-12T13:19:55Z

I assume the new NoCSRFRequired tags are needed, but I'm not sure... any quick confirmation?. The rest looks good.

CSRF annotations on any GET request are non-sense. CSRF is to protect again manipulations (PUT, POST, PATCH, DELETE)

(at least this is the way we did this since the beginning of time in ownCloud ....)

DeepDiver1975 · 2023-07-12T13:30:46Z

@jnweiger can you do the client tests for this please? THX

phil-davis · 2023-07-13T09:52:21Z

https://drone.owncloud.com/owncloud/core/38729/8/7

There was 1 failure:

1) Test\AppFramework\Middleware\Security\SecurityMiddlewareTest::testFailCsrfCheckWithoutAuthHeader
OCP\IRequest::getHeader('Authorization') was not expected to be called more than once.
/drone/src/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php:145
/drone/src/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php:353
phpvfscomposer:///drone/src/lib/composer/phpunit/phpunit/phpunit:106

A unit test fails.

sonarqubecloud · 2023-07-13T10:57:00Z

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
2 Code Smells

100.0% Coverage
0.0% Duplication

fix: use empty() to check if header exists

DeepDiver1975 force-pushed the fix/header-evaluation branch from 504f03f to 42f8f2f Compare July 4, 2023 11:20

DeepDiver1975 added the 3 - To Review label Jul 4, 2023

DeepDiver1975 force-pushed the fix/header-evaluation branch from 42f8f2f to 575eb49 Compare July 6, 2023 17:04

jvillafanez approved these changes Jul 12, 2023

View reviewed changes

DeepDiver1975 requested a review from jnweiger July 12, 2023 13:30

DeepDiver1975 force-pushed the fix/header-evaluation branch from 4c0866b to 03075d9 Compare July 12, 2023 21:45

DeepDiver1975 added 3 commits July 13, 2023 12:27

fix: check for empty string if header exists

9df63ce

fix: no CSRF required on GET requests

878e654

fix: no CRSF on /privatedata/getattribute

4c53f25

DeepDiver1975 force-pushed the fix/header-evaluation branch from 03075d9 to 4c53f25 Compare July 13, 2023 10:28

phil-davis approved these changes Jul 14, 2023

View reviewed changes

phil-davis merged commit d532e9c into master Jul 14, 2023

delete-merged-branch bot deleted the fix/header-evaluation branch July 14, 2023 04:22

DeepDiver1975 pushed a commit that referenced this pull request Aug 4, 2023

Merge pull request #40856 from owncloud/fix/header-evaluation

ed3b757

fix: use empty() to check if header exists

DeepDiver1975 pushed a commit that referenced this pull request Aug 4, 2023

Merge pull request #40856 from owncloud/fix/header-evaluation

3398ae0

fix: use empty() to check if header exists

DeepDiver1975 added a commit that referenced this pull request Aug 4, 2023

fix: use empty() to check if header exists (port #40856)

f9b76f6

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: use empty() to check if header exists#40856