Skip to content

Commit e2bd10e

Browse files
SebastianKrupinskiSebastianKrupinski
committed
fix(carddav): limit vcard size
Signed-off-by: SebastianKrupinski <[email protected]>
1 parent 6e1fa2c commit e2bd10e

File tree

6 files changed

+119
-0
lines changed

6 files changed

+119
-0
lines changed

apps/dav/appinfo/v1/carddav.php

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@
3333
use OCA\DAV\CardDAV\AddressBookRoot;
3434
use OCA\DAV\CardDAV\CardDavBackend;
3535
use OCA\DAV\CardDAV\Security\CardDavRateLimitingPlugin;
36+
use OCA\DAV\CardDAV\Validation\CardDavValidatePlugin;
3637
use OCA\DAV\Connector\LegacyDAVACL;
3738
use OCA\DAV\Connector\Sabre\Auth;
3839
use OCA\DAV\Connector\Sabre\ExceptionLoggerPlugin;
@@ -105,6 +106,7 @@
105106
)));
106107
$server->addPlugin(new ExceptionLoggerPlugin('carddav', \OC::$server->get(LoggerInterface::class)));
107108
$server->addPlugin(\OCP\Server::get(CardDavRateLimitingPlugin::class));
109+
$server->addPlugin(\OCP\Server::get(CardDavValidatePlugin::class));
108110

109111
// And off we go!
110112
$server->exec();

apps/dav/composer/composer/autoload_classmap.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -137,6 +137,7 @@
137137
'OCA\\DAV\\CardDAV\\SyncService' => $baseDir . '/../lib/CardDAV/SyncService.php',
138138
'OCA\\DAV\\CardDAV\\SystemAddressbook' => $baseDir . '/../lib/CardDAV/SystemAddressbook.php',
139139
'OCA\\DAV\\CardDAV\\UserAddressBooks' => $baseDir . '/../lib/CardDAV/UserAddressBooks.php',
140+
'OCA\\DAV\\CardDAV\\Validation\\CardDavValidatePlugin' => $baseDir . '/../lib/CardDAV/Validation/CardDavValidatePlugin.php',
140141
'OCA\\DAV\\CardDAV\\Xml\\Groups' => $baseDir . '/../lib/CardDAV/Xml/Groups.php',
141142
'OCA\\DAV\\Command\\CreateAddressBook' => $baseDir . '/../lib/Command/CreateAddressBook.php',
142143
'OCA\\DAV\\Command\\CreateCalendar' => $baseDir . '/../lib/Command/CreateCalendar.php',

apps/dav/composer/composer/autoload_static.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -152,6 +152,7 @@ class ComposerStaticInitDAV
152152
'OCA\\DAV\\CardDAV\\SyncService' => __DIR__ . '/..' . '/../lib/CardDAV/SyncService.php',
153153
'OCA\\DAV\\CardDAV\\SystemAddressbook' => __DIR__ . '/..' . '/../lib/CardDAV/SystemAddressbook.php',
154154
'OCA\\DAV\\CardDAV\\UserAddressBooks' => __DIR__ . '/..' . '/../lib/CardDAV/UserAddressBooks.php',
155+
'OCA\\DAV\\CardDAV\\Validation\\CardDavValidatePlugin' => __DIR__ . '/..' . '/../lib/CardDAV/Validation/CardDavValidatePlugin.php',
155156
'OCA\\DAV\\CardDAV\\Xml\\Groups' => __DIR__ . '/..' . '/../lib/CardDAV/Xml/Groups.php',
156157
'OCA\\DAV\\Command\\CreateAddressBook' => __DIR__ . '/..' . '/../lib/Command/CreateAddressBook.php',
157158
'OCA\\DAV\\Command\\CreateCalendar' => __DIR__ . '/..' . '/../lib/Command/CreateCalendar.php',

apps/dav/lib/CardDAV/Validation/CardDavValidatePlugin.php

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
<?php
2+
3+
declare(strict_types=1);
4+
5+
/*
6+
* SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
7+
* SPDX-License-Identifier: AGPL-3.0-or-later
8+
*/
9+
namespace OCA\DAV\CardDAV\Validation;
10+
11+
use OCA\DAV\AppInfo\Application;
12+
use OCP\IAppConfig;
13+
use Sabre\DAV\Exception\Forbidden;
14+
use Sabre\DAV\Server;
15+
use Sabre\DAV\ServerPlugin;
16+
use Sabre\HTTP\RequestInterface;
17+
use Sabre\HTTP\ResponseInterface;
18+
19+
class CardDavValidatePlugin extends ServerPlugin {
20+
21+
public function __construct(
22+
private IAppConfig $config
23+
) {
24+
}
25+
26+
public function initialize(Server $server): void {
27+
$server->on('beforeMethod:PUT', [$this, 'beforePut']);
28+
}
29+
30+
public function beforePut(RequestInterface $request, ResponseInterface $response): bool {
31+
// evaluate if card size exceeds defined limit
32+
$cardSizeLimit = (int) $this->config->getAppValue(Application::APP_ID, 'card_size_limit', '5242880');
33+
if ((int) $request->getRawServerValue('CONTENT_LENGTH') > $cardSizeLimit) {
34+
throw new Forbidden("VCard object exceeds $cardSizeLimit bytes");
35+
}
36+
// all tests passed return true
37+
return true;
38+
}
39+
40+
}

apps/dav/lib/Server.php

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,7 @@
4545
use OCA\DAV\CardDAV\MultiGetExportPlugin;
4646
use OCA\DAV\CardDAV\PhotoCache;
4747
use OCA\DAV\CardDAV\Security\CardDavRateLimitingPlugin;
48+
use OCA\DAV\CardDAV\Validation\CardDavValidatePlugin;
4849
use OCA\DAV\Comments\CommentsPlugin;
4950
use OCA\DAV\Connector\Sabre\AnonymousOptionsPlugin;
5051
use OCA\DAV\Connector\Sabre\Auth;
@@ -213,6 +214,7 @@ public function __construct(IRequest $request, string $baseUri) {
213214
));
214215

215216
$this->server->addPlugin(\OCP\Server::get(CardDavRateLimitingPlugin::class));
217+
$this->server->addPlugin(\OCP\Server::get(CardDavValidatePlugin::class));
216218
}
217219

218220
// system tags plugins

apps/dav/tests/unit/CardDAV/Validation/CardDavValidatePluginTest.php

Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,73 @@
1+
<?php
2+
3+
declare(strict_types=1);
4+
5+
/*
6+
* SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
7+
* SPDX-License-Identifier: AGPL-3.0-or-later
8+
*/
9+
10+
namespace OCA\DAV\Tests\unit\CardDAV\Validation;
11+
12+
use OCA\DAV\CardDAV\Validation\CardDavValidatePlugin;
13+
use OCP\IAppConfig;
14+
use PHPUnit\Framework\MockObject\MockObject;
15+
use Sabre\DAV\Exception\Forbidden;
16+
use Sabre\HTTP\RequestInterface;
17+
use Sabre\HTTP\ResponseInterface;
18+
use Test\TestCase;
19+
20+
class CardDavValidatePluginTest extends TestCase {
21+
22+
private CardDavValidatePlugin $plugin;
23+
private IAppConfig|MockObject $config;
24+
private RequestInterface|MockObject $request;
25+
private ResponseInterface|MockObject $response;
26+
27+
protected function setUp(): void {
28+
parent::setUp();
29+
// construct mock objects
30+
$this->config = $this->createMock(IAppConfig::class);
31+
$this->request = $this->createMock(RequestInterface::class);
32+
$this->response = $this->createMock(ResponseInterface::class);
33+
$this->plugin = new CardDavValidatePlugin(
34+
$this->config,
35+
);
36+
}
37+
38+
public function testPutSizeLessThenLimit(): void {
39+
40+
// construct method responses
41+
$this->config
42+
->method('getAppValue')
43+
->with('dav', 'card_size_limit', '5242880')
44+
->willReturn('5242880');
45+
$this->request
46+
->method('getRawServerValue')
47+
->with('CONTENT_LENGTH')
48+
->willReturn('1024');
49+
// test condition
50+
$this->assertTrue(
51+
$this->plugin->beforePut($this->request, $this->response)
52+
);
53+
54+
}
55+
56+
public function testPutSizeMoreThenLimit(): void {
57+
58+
// construct method responses
59+
$this->config
60+
->method('getValue')
61+
->with('dav', 'card_size_limit', '5242880')
62+
->willReturn('5242880');
63+
$this->request
64+
->method('getRawServerValue')
65+
->with('CONTENT_LENGTH')
66+
->willReturn('6242880');
67+
$this->expectException(Forbidden::class);
68+
// test condition
69+
$this->plugin->beforePut($this->request, $this->response);
70+
71+
}
72+
73+
}

0 commit comments

Comments
 (0)