Skip to content

Comments

Prevent upload from sensitive path#9645

Closed
tobiasKaminsky wants to merge 1 commit intomasterfrom
sensitivePath
Closed

Prevent upload from sensitive path#9645
tobiasKaminsky wants to merge 1 commit intomasterfrom
sensitivePath

Conversation

@tobiasKaminsky
Copy link
Member

@tobiasKaminsky tobiasKaminsky commented Jan 4, 2022

Signed-off-by: tobiasKaminsky tobias@kaminsky.me

  • Tests written, or not not needed

@codecov
Copy link

codecov bot commented Jan 5, 2022

Codecov Report

Merging #9645 (d0aa5d4) into master (e88a4d9) will decrease coverage by 0.40%.
The diff coverage is 0.00%.

❗ Current head d0aa5d4 differs from pull request most recent head bb78c65. Consider uploading reports for the commit bb78c65 to get more accurate results

@@             Coverage Diff             @@
##             master   #9645      +/-   ##
===========================================
- Coverage      3.11%   2.71%   -0.41%     
+ Complexity      400     327      -73     
===========================================
  Files           505     505              
  Lines         38591   38579      -12     
  Branches       5383    5384       +1     
===========================================
- Hits           1203    1048     -155     
- Misses        37311   37481     +170     
+ Partials         77      50      -27     
Impacted Files Coverage Δ
...va/com/nextcloud/client/jobs/AccountRemovalWork.kt 0.00% <0.00%> (ø)
.../owncloud/android/files/services/FileUploader.java 0.00% <0.00%> (ø)
...loud/android/operations/DownloadFileOperation.java 0.00% <0.00%> (ø)
...ncloud/android/operations/RenameFileOperation.java 0.00% <0.00%> (ø)
...ud/android/providers/DocumentsStorageProvider.java 0.00% <0.00%> (ø)
...m/owncloud/android/services/OperationsService.java 0.00% <0.00%> (ø)
...ndroid/ui/activity/RichDocumentsEditorWebView.java 0.00% <0.00%> (ø)
...id/ui/asynctasks/CopyAndUploadContentUrisTask.java 0.00% <0.00%> (ø)
...a/com/owncloud/android/utils/FileStorageUtils.java 6.37% <ø> (+0.07%) ⬆️
.../third_parties/daveKoeller/AlphanumComparator.java 0.00% <0.00%> (-85.72%) ⬇️
... and 32 more

@AlvaroBrey
Copy link
Member

/rebase

@AlvaroBrey
Copy link
Member

/rebase

@AlvaroBrey
Copy link
Member

/rebase

Copy link
Member

@AlvaroBrey AlvaroBrey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

com.owncloud.android.files.services.FileUploaderIT > testKeepCancelStatic[android(AVD) - 8.1.0] �[31mFAILED �[0m
	junit.framework.AssertionFailedError
	at junit.framework.Assert.fail(Assert.java:48)

com.owncloud.android.files.services.FileUploaderIT > testKeepBothStatic[android(AVD) - 8.1.0] �[31mFAILED �[0m
	junit.framework.AssertionFailedError
	at junit.framework.Assert.fail(Assert.java:48)

com.owncloud.android.files.services.FileUploaderIT > testKeepLocalAndOverwriteRemoteStatic[android(AVD) - 8.1.0] �[31mFAILED �[0m
	junit.framework.AssertionFailedError
	at junit.framework.Assert.fail(Assert.java:48)

com.owncloud.android.files.services.FileUploaderIT > testKeepServerStatic[android(AVD) - 8.1.0] �[31mFAILED �[0m
	junit.framework.AssertionFailedError
	at junit.framework.Assert.fail(Assert.java:48)

FileUploaderIT uploads files from the internal temporal path, which includes the package name, so it makes sense that they fail.

Copy link
Member

@AlvaroBrey AlvaroBrey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lots of tests still failing as they upload from temporal path. Perhaps we should add an exception for the temporal paths?

@tobiasKaminsky
Copy link
Member Author

Perhaps we should add an exception for the temporal paths?

Indeed we need to do this, as we use temporary path when uploading a file from sdcard:

String temporalPath = FileStorageUtils.getInternalTemporalPath(user.getAccountName(), mContext) +

Let me change it 👍

@tobiasKaminsky tobiasKaminsky force-pushed the sensitivePath branch 2 times, most recently from 4f28c4f to de5299d Compare January 13, 2022 07:14
@AlvaroBrey
Copy link
Member

Tests still failing :\ This might be harder than expected

@tobiasKaminsky
Copy link
Member Author

/rebase

Copy link
Member

@AlvaroBrey AlvaroBrey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quick smoketest: downloads are not working

2022-03-23 12:56:44.854 12951-13004/com.nextcloud.client I/DownloadFileRemoteOperation: Download of /100_MB.pdf to /data/user/0/com.nextcloud.client/files/nextcloud/tmp/MY_SERVER/100_MB.pdf: Operation finished with HTTP status code 200 (success)
2022-03-23 12:56:44.861 12951-13004/com.nextcloud.client I/DownloadFileOperation: Download of /100_MB.pdf to /storage/emulated/0/Android/media/com.nextcloud.client/nextcloud/MY_SERVER/100_MB.pdf: Error while moving file to final directory

@tobiasKaminsky
Copy link
Member Author

/rebase

@nextcloud-android-bot
Copy link
Collaborator

Codacy

Lint

TypemasterPR
Warnings8787
Errors00

SpotBugs

CategoryBaseNew
Bad practice2828
Correctness4444
Dodgy code360360
Experimental11
Internationalization99
Multithreaded correctness99
Performance6666
Security2929
Total546546

@github-actions
Copy link

github-actions bot commented May 9, 2022

@tobiasKaminsky tobiasKaminsky requested a review from AlvaroBrey May 9, 2022 13:13
Copy link
Member

@AlvaroBrey AlvaroBrey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Needs a bit of cleanup though

@tobiasKaminsky tobiasKaminsky force-pushed the sensitivePath branch 2 times, most recently from 3609c59 to 77a9a37 Compare July 20, 2022 06:11
Signed-off-by: tobiasKaminsky <tobias@kaminsky.me>
@github-actions
Copy link

APK file: https://www.kaminsky.me/nc-dev/android-artifacts/9645.apk

qrcode

To test this change/fix you can simply download above APK file and install and test it in parallel to your existing Nextcloud app.

@github-actions
Copy link

Codacy

Lint

TypemasterPR
Warnings8585
Errors00

SpotBugs

CategoryBaseNew
Bad practice2929
Correctness4646
Dodgy code353353
Experimental11
Internationalization99
Multithreaded correctness99
Performance5959
Security2828
Total534534

@nextcloud-android-bot
Copy link
Collaborator

@nextcloud-android-bot
Copy link
Collaborator

@AlvaroBrey
Copy link
Member

Superseded by #10544

@AlvaroBrey AlvaroBrey closed this Aug 8, 2022
@tobiasKaminsky tobiasKaminsky deleted the sensitivePath branch September 23, 2022 14:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants