Allow to configure "allowed domains" for CORS on DAV #40537
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Exclude DAV CORS handling when no Origin specified
This will exclude non-browser clients from CORS handling.
Fixes some clients like davfs which break when CORS is enabled.
* fix: CORS on WebDAV is not working
WebDAV is not working at all when used by on browser Javascript because the CORS headers
are only present in the OPTION request, but not in the subsequent WebDAV methods.
* This behavior is caused by a erroneous json_decode call while retriving the user's domains whitelist.
It return an object, so the is_array always fails and no header are sent.
* Add Access-Control-Expose-Headers - to allow clients to access certain headers
* Adding many headers as allowed headers + add capability to read additional allowed headers from config.php
susnux
requested review from
nickvergessen,
skjnldsv,
a team,
ArtificialOwl and
icewind1991
and removed request for
a team
I removed the beforeController logic here due to the change of handling CORS since PR 28457[1] According to previous implementation, CORS was only allowed with methods that had @publicpage notation for preventing CSRF attacks. But in the latest PR by me, the current implementations is as follows: * maintain a white-list of domains for whom CORS is enabled * This list can be viewed and edited under settings -> personal -> security This implementation removes the need for `@PublicPage`[2]. [1] owncloud/core#28457 [2] owncloud/core#28864
susnux
force-pushed
the
feat/cors-on-webdav
branch
from
b0a6b70
to
6955c85
Compare
susnux
added
3. to review
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
susnux
force-pushed
the
feat/cors-on-webdav
branch
from
6955c85
to
4c2f7b1
Compare
susnux
changed the title
Also make sure to only return allowed methods for DAV responses Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
susnux
force-pushed
the
feat/cors-on-webdav
branch
from
4c2f7b1
to
bcfaa85
Compare
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
| return; | ||
| } | ||
| } catch (\InvalidArgumentException $e) { | ||
| \OC::$server->getLogger()->debug('Invalid origin header was passed', ['Origin' => $originHeader, 'exception' => $e]); |
Check notice
Code scanning / Psalm
DeprecatedMethod Note
There was a problem hiding this comment.
Suggested change
| \OC::$server->getLogger()->debug('Invalid origin header was passed', ['Origin' => $originHeader, 'exception' => $e]); | |
| \OC::$server->get(LoggerInterface::class)->debug('Invalid origin header was passed', ['origin' => $originHeader, 'exception' => $e]); |
apps/dav/lib/Server.php
Dismissed
| @@ -130,6 +131,8 @@ | |||
| $this->server->addPlugin(new ProfilerPlugin($this->request)); | |||
| $this->server->addPlugin(new BlockLegacyClientPlugin(\OC::$server->getConfig())); | |||
| $this->server->addPlugin(new AnonymousOptionsPlugin()); | |||
| $this->server->addPlugin(new CorsPlugin(\OC::$server->getUserSession(), \OC::$server->getConfig())); | |||
Check notice
Code scanning / Psalm
DeprecatedMethod Note
There was a problem hiding this comment.
I think you can change to:
Suggested change
| $this->server->addPlugin(new CorsPlugin(\OC::$server->getUserSession(), \OC::$server->getConfig())); | |
| $this->server->addPlugin(new CorsPlugin(\OC::$server->get(IUserSession), \OC::$server->get(IConfig::class))); |
With:
use \OCP\IConfig;
use \OCP\IUserSession| * @return DataResponse | ||
| */ | ||
| public function updateUserEnabled($value) { | ||
| if (!is_bool($value)) { |
Check notice
Code scanning / Psalm
DocblockTypeContradiction Note
|
|
||
| // Reach here if it's valid | ||
| $response = new \OC\OCS\Result(null, 100, 'OPTIONS request successful'); | ||
| \OC_Response::setOptionsRequestHeaders($response, $this->config); |
Check failure
Code scanning / Psalm
InvalidArgument Error
This comment was marked as resolved.
This comment was marked as resolved.
Altahrim
reviewed
Sep 25, 2023
Comment on lines
+68
to
+70
| if (!$request->hasHeader('Origin')) { | ||
| return; | ||
| } |
There was a problem hiding this comment.
I think you can skip this part. The test $originHeader === null on line 72 is equivalent
| return; | ||
| } | ||
| } catch (\InvalidArgumentException $e) { | ||
| \OC::$server->getLogger()->debug('Invalid origin header was passed', ['Origin' => $originHeader, 'exception' => $e]); |
There was a problem hiding this comment.
Suggested change
| \OC::$server->getLogger()->debug('Invalid origin header was passed', ['Origin' => $originHeader, 'exception' => $e]); | |
| \OC::$server->get(LoggerInterface::class)->debug('Invalid origin header was passed', ['origin' => $originHeader, 'exception' => $e]); |
| */ | ||
| public function setOptionsRequestHeaders(RequestInterface $request, ResponseInterface $response) { | ||
| $authorization = $request->getHeader('Authorization'); | ||
| if ($authorization === null || $authorization === '') { |
There was a problem hiding this comment.
Maybe:
Suggested change
| if ($authorization === null || $authorization === '') { | |
| if (empty($authorization)) { |
apps/dav/lib/Server.php
Dismissed
| @@ -130,6 +131,8 @@ | |||
| $this->server->addPlugin(new ProfilerPlugin($this->request)); | |||
| $this->server->addPlugin(new BlockLegacyClientPlugin(\OC::$server->getConfig())); | |||
| $this->server->addPlugin(new AnonymousOptionsPlugin()); | |||
| $this->server->addPlugin(new CorsPlugin(\OC::$server->getUserSession(), \OC::$server->getConfig())); | |||
There was a problem hiding this comment.
I think you can change to:
Suggested change
| $this->server->addPlugin(new CorsPlugin(\OC::$server->getUserSession(), \OC::$server->getConfig())); | |
| $this->server->addPlugin(new CorsPlugin(\OC::$server->get(IUserSession), \OC::$server->get(IConfig::class))); |
With:
use \OCP\IConfig;
use \OCP\IUserSession
Comment on lines
+654
to
+660
| if ($protocol === 'http') { | ||
| $port = 80; | ||
| } elseif ($protocol === 'https') { | ||
| $port = 443; | ||
| } else { | ||
| throw new \InvalidArgumentException('Only http based URLs supported'); | ||
| } |
There was a problem hiding this comment.
Shorter version:
Suggested change
| if ($protocol === 'http') { | |
| $port = 80; | |
| } elseif ($protocol === 'https') { | |
| $port = 443; | |
| } else { | |
| throw new \InvalidArgumentException('Only http based URLs supported'); | |
| } | |
| $port = match($protocol) { | |
| 'http' => 80, | |
| 'https' => 443, | |
| }; |
Comment on lines
+58
to
+70
| public function __construct($AppName, IRequest $request, | ||
| IUserSession $userSession, | ||
| ILogger $logger, | ||
| IURLGenerator $urlGenerator, | ||
| IConfig $config) { | ||
| parent::__construct($AppName, $request); | ||
|
|
||
| $this->AppName = $AppName; | ||
| $this->config = $config; | ||
| $this->userId = $userSession->getUser()->getUID(); | ||
| $this->logger = $logger; | ||
| $this->urlGenerator = $urlGenerator; | ||
| } |
There was a problem hiding this comment.
Can use properties promotion:
Suggested change
| public function __construct($AppName, IRequest $request, | |
| IUserSession $userSession, | |
| ILogger $logger, | |
| IURLGenerator $urlGenerator, | |
| IConfig $config) { | |
| parent::__construct($AppName, $request); | |
| $this->AppName = $AppName; | |
| $this->config = $config; | |
| $this->userId = $userSession->getUser()->getUID(); | |
| $this->logger = $logger; | |
| $this->urlGenerator = $urlGenerator; | |
| } | |
| public function __construct( | |
| $AppName, IRequest $request, | |
| IUserSession $userSession, | |
| private LoggerInterface $logger, | |
| private IURLGenerator $urlGenerator, | |
| private IConfig $config | |
| ) { | |
| parent::__construct($AppName, $request); | |
| $this->userId = $userSession->getUser()->getUID(); | |
| } |
Also replace deprecated ILogger
Comment on lines
+93
to
+97
| if (empty($this->config->getUserValue($userId, 'core', 'domains'))) { | ||
| $domains = []; | ||
| } else { | ||
| $domains = json_decode($this->config->getUserValue($userId, 'core', 'domains')); | ||
| } |
There was a problem hiding this comment.
Suggested change
| if (empty($this->config->getUserValue($userId, 'core', 'domains'))) { | |
| $domains = []; | |
| } else { | |
| $domains = json_decode($this->config->getUserValue($userId, 'core', 'domains')); | |
| } | |
| $domains = empty($this->config->getUserValue($userId, 'core', 'domains') | |
| ? [] | |
| : json_decode($this->config->getUserValue($userId, 'core', 'domains'), flags: JSON_THROW_ON_ERROR); |
| * @param string $domain The domain to whitelist | ||
| * @return RedirectResponse Redirection to the settings page. | ||
| */ | ||
| public function addDomain($domain) { |
There was a problem hiding this comment.
Can we enforce it here?
Suggested change
| public function addDomain($domain) { | |
| public function addDomain(string $domain) { |
| * @return RedirectResponse Redirection to the settings page. | ||
| */ | ||
| public function addDomain($domain) { | ||
| if (!isset($domain) || !self::isValidUrl($domain)) { |
There was a problem hiding this comment.
If so:
Suggested change
| if (!isset($domain) || !self::isValidUrl($domain)) { | |
| if ($domain === '' || !self::isValidUrl($domain)) { |
Merged
This was referenced Mar 12, 2024
Merged
Merged
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
check if CORS support in login v2 and OAuth2 flow #34898(not yet)Summary
This adds CORS support to the DAV routes, the default is non breaking -> so no other domain is allowed.
But the admin can configure a list of allowed domains which will be allowed to access the DAV routes using CORS.
Moreover the admin can enable user defined lists, meaning that users can add their own allowed domains for WebDAV related requests, see #30964.
Why do we need CORS on DAV?
See #3131
Basically to access it within the browser from a different page, like e.g. the Dropbox file picker with allows you to pick files from your cloud onto another page (e.g. upload something from cloud to form etc).
Screenshot
Todo
Checklist