Skip to content

Commit

Permalink
Merge pull request #4140 from nextcloud/fix/check-new-file-share
Browse files Browse the repository at this point in the history
Add brute force protection for public file creation
  • Loading branch information
juliusknorr authored Oct 18, 2024
2 parents f279ec9 + f138551 commit f1bc9cd
Showing 1 changed file with 22 additions and 5 deletions.
27 changes: 22 additions & 5 deletions lib/Controller/DocumentAPIController.php
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@
use OCA\Richdocuments\Helper;
use OCA\Richdocuments\TemplateManager;
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\Attribute\BruteForceProtection;
use OCP\AppFramework\Http\Attribute\NoAdminRequired;
use OCP\AppFramework\Http\Attribute\PublicPage;
use OCP\AppFramework\Http\DataResponse;
use OCP\AppFramework\Http\JSONResponse;
use OCP\Files\Folder;
Expand All @@ -23,6 +26,7 @@
use OCP\Files\Lock\NoLockProviderException;
use OCP\IL10N;
use OCP\IRequest;
use OCP\ISession;
use OCP\PreConditionNotMetException;
use OCP\Share\IManager;
use Psr\Log\LoggerInterface;
Expand All @@ -37,7 +41,8 @@ public function __construct(
private IL10N $l10n,
private LoggerInterface $logger,
private ILockManager $lockManager,
private $userId,
private ISession $session,
private ?string $userId,
) {
parent::__construct(Application::APPNAME, $request);
}
Expand All @@ -48,14 +53,26 @@ public function __construct(
* As the server template API for file creation is not available there, we need a dedicated API
* in order to properly create files as public page visitors. This is being called in the new file
* actions in src/view/NewFileMenu.js
*
* @NoAdminRequired
* @PublicPage
*/
#[NoAdminRequired]
#[PublicPage]
#[BruteForceProtection(action: 'richdocumentsCreatePublic')]
public function create(string $mimeType, string $fileName, string $directoryPath = '/', ?string $shareToken = null, ?int $templateId = null): JSONResponse {
try {
if ($shareToken !== null) {
$share = $this->shareManager->getShareByToken($shareToken);

if ($share->getPassword()) {
if (!$this->session->exists('public_link_authenticated')
|| $this->session->get('public_link_authenticated') !== (string)$share->getId()
) {
throw new Exception('Invalid password');
}
}

if (!($share->getPermissions() & \OCP\Constants::PERMISSION_CREATE)) {
throw new Exception('No create permissions');
}
}

$rootFolder = $shareToken !== null ? $share->getNode() : $this->rootFolder->getUserFolder($this->userId);
Expand Down Expand Up @@ -133,7 +150,7 @@ public function create(string $mimeType, string $fileName, string $directoryPath
]);
}

#[Http\Attribute\NoAdminRequired]
#[NoAdminRequired]
public function openLocal(int $fileId): DataResponse {
try {
$file = $this->rootFolder->getUserFolder($this->userId)->getFirstNodeById($fileId);
Expand Down

0 comments on commit f1bc9cd

Please sign in to comment.