Prevent upload from sensitive path

[tobiasKaminsky]

Signed-off-by: tobiasKaminsky tobias@kaminsky.me

• Tests written, or not not needed

[codecov]

Codecov Report

Merging #9645 (d0aa5d4) into master (e88a4d9) will decrease coverage by 0.40%.
The diff coverage is 0.00%.

❗ Current head d0aa5d4 differs from pull request most recent head bb78c65. Consider uploading reports for the commit bb78c65 to get more accurate results

@@             Coverage Diff             @@
##             master   #9645      +/-   ##
===========================================
- Coverage      3.11%   2.71%   -0.41%     
+ Complexity      400     327      -73     
===========================================
  Files           505     505              
  Lines         38591   38579      -12     
  Branches       5383    5384       +1     
===========================================
- Hits           1203    1048     -155     
- Misses        37311   37481     +170     
+ Partials         77      50      -27     

Impacted Files	Coverage Δ
...va/com/nextcloud/client/jobs/AccountRemovalWork.kt	0.00% <0.00%> (ø)
.../owncloud/android/files/services/FileUploader.java	0.00% <0.00%> (ø)
...loud/android/operations/DownloadFileOperation.java	0.00% <0.00%> (ø)
...ncloud/android/operations/RenameFileOperation.java	0.00% <0.00%> (ø)
...ud/android/providers/DocumentsStorageProvider.java	0.00% <0.00%> (ø)
...m/owncloud/android/services/OperationsService.java	0.00% <0.00%> (ø)
...ndroid/ui/activity/RichDocumentsEditorWebView.java	0.00% <0.00%> (ø)
...id/ui/asynctasks/CopyAndUploadContentUrisTask.java	0.00% <0.00%> (ø)
...a/com/owncloud/android/utils/FileStorageUtils.java	6.37% <ø> (+0.07%)	⬆️
.../third_parties/daveKoeller/AlphanumComparator.java	0.00% <0.00%> (-85.72%)	⬇️
... and 32 more

[AlvaroBrey]

/rebase

[AlvaroBrey]

/rebase

[AlvaroBrey]

/rebase

[AlvaroBrey]

com.owncloud.android.files.services.FileUploaderIT > testKeepCancelStatic[android(AVD) - 8.1.0] �[31mFAILED �[0m
	junit.framework.AssertionFailedError
	at junit.framework.Assert.fail(Assert.java:48)

com.owncloud.android.files.services.FileUploaderIT > testKeepBothStatic[android(AVD) - 8.1.0] �[31mFAILED �[0m
	junit.framework.AssertionFailedError
	at junit.framework.Assert.fail(Assert.java:48)

com.owncloud.android.files.services.FileUploaderIT > testKeepLocalAndOverwriteRemoteStatic[android(AVD) - 8.1.0] �[31mFAILED �[0m
	junit.framework.AssertionFailedError
	at junit.framework.Assert.fail(Assert.java:48)

com.owncloud.android.files.services.FileUploaderIT > testKeepServerStatic[android(AVD) - 8.1.0] �[31mFAILED �[0m
	junit.framework.AssertionFailedError
	at junit.framework.Assert.fail(Assert.java:48)

FileUploaderIT uploads files from the internal temporal path, which includes the package name, so it makes sense that they fail.

[AlvaroBrey]

Lots of tests still failing as they upload from temporal path. Perhaps we should add an exception for the temporal paths?

[tobiasKaminsky]

Perhaps we should add an exception for the temporal paths?

Indeed we need to do this, as we use temporary path when uploading a file from sdcard:

android/src/main/java/com/owncloud/android/operations/UploadFileOperation.java

Line 549 in 883857d

String temporalPath = FileStorageUtils.getInternalTemporalPath(user.getAccountName(), mContext) +

Let me change it 👍

[AlvaroBrey]

Tests still failing :\ This might be harder than expected

[tobiasKaminsky]

/rebase

[AlvaroBrey]

Quick smoketest: downloads are not working

2022-03-23 12:56:44.854 12951-13004/com.nextcloud.client I/DownloadFileRemoteOperation: Download of /100_MB.pdf to /data/user/0/com.nextcloud.client/files/nextcloud/tmp/MY_SERVER/100_MB.pdf: Operation finished with HTTP status code 200 (success)
2022-03-23 12:56:44.861 12951-13004/com.nextcloud.client I/DownloadFileOperation: Download of /100_MB.pdf to /storage/emulated/0/Android/media/com.nextcloud.client/nextcloud/MY_SERVER/100_MB.pdf: Error while moving file to final directory

[tobiasKaminsky]

/rebase

[nextcloud-android-bot]

Codacy

Lint

Type	master	PR
Warnings	87	87
Errors	0	0

SpotBugs

Category	Base	New
Bad practice	28	28
Correctness	44	44
Dodgy code	360	360
Experimental	1	1
Internationalization	9	9
Multithreaded correctness	9	9
Performance	66	66
Security	29	29
Total	546	546

[github-actions]

blue-Light-IT test failed: https://www.kaminsky.me/nc-dev/android-integrationTests/9645-Screenshot-blue-Light-12-51

[AlvaroBrey]

Nice! Needs a bit of cleanup though

[github-actions]

APK file: https://www.kaminsky.me/nc-dev/android-artifacts/9645.apk



To test this change/fix you can simply download above APK file and install and test it in parallel to your existing Nextcloud app.

[github-actions]

Codacy

Lint

Type	master	PR
Warnings	85	85
Errors	0	0

SpotBugs

Category	Base	New
Bad practice	29	29
Correctness	46	46
Dodgy code	353	353
Experimental	1	1
Internationalization	9	9
Multithreaded correctness	9	9
Performance	59	59
Security	28	28
Total	534	534

[nextcloud-android-bot]

master-IT test failed: https://www.kaminsky.me/nc-dev/android-integrationTests/5552-IT-master-10-04

[nextcloud-android-bot]

stable-IT test failed: https://www.kaminsky.me/nc-dev/android-integrationTests/5552-IT-stable-10-04

[AlvaroBrey]

Superseded by #10544