Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

chore(quality): apply Hydra full-branch review findings — SPDX, gate-9, SSRF, path-traversal#33

Merged
rubenvdlinde merged 3 commits into
developmentfrom
chore/apply-hydra-quality-fixes
May 2, 2026
Merged

chore(quality): apply Hydra full-branch review findings — SPDX, gate-9, SSRF, path-traversal#33
rubenvdlinde merged 3 commits into
developmentfrom
chore/apply-hydra-quality-fixes

Conversation

@rubenvdlinde

Copy link
Copy Markdown
Contributor

Summary

Applies the actionable findings from the 2026-05-02 Hydra full-branch security + code review dogfood (tracking issue) directly to development. PR #29 was already merged when the dogfood ran, so Hydra's commits landed on a Hydra-internal pr-branch ref with no path to development. This PR brings the validated work onto the canonical branch.

What's in the diff

From Juan Claude van Damme's code-review run (commit 1cc7df9 on Hydra's pr-branch):

  • 31 PHP files@license AGPL-3.0-or-later + @copyright Conduction B.V. PHPDoc headers added to every file under lib/ (gate-1 / ADR-014).
  • lib/Controller/ApiController.php#[NoAdminRequired] removed from 14 admin-only OCS methods; the body's if (!isAdmin()) return 403 guard remains as defence-in-depth (gate-9 / ADR-005 / ADR-016 semantic-auth fix). NC middleware now enforces admin at the framework level.
  • cs-fixer style normalisations on 7 files (single-arg constructors expanded to multi-line) — no logic change.

Re-applied manually from Clyde Barcode's security-review run (his commit 2355f7a was lost — never pushed to remote due to a Hydra entrypoint bug, see ConductionNL/hydra#216):

  • lib/Service/ExternalReleaseInstallerService.php'nextcloud' => ['allow_local_address' => false] added to authenticatedDownload() and verifyChecksum() HTTP options. SSRF defence-in-depth — without this, a malicious GitHub release could redirect the download to an internal address and leak the PAT Bearer token. Mirrors PatValidator's existing pattern. (OWASP A10:2021)
  • lib/Service/Source/SourceBinding.php — constructor now preg_match-validates owner/repo charset. The TrustedSourceList fnmatch allowlist's * matches /, so ConductionNL/../../../x would otherwise pass; this rejects path-traversal at the boundary. Charset matches GitHub's own owner/repo rules. (CWE-22 / OWASP A01:2021)

Quality

  • ✅ Juan ran the full quality suite during the original review — phpunit 91/91 PASS, php-cs-fixer check PASS, composer audit no CVEs, all hydra-gates PASS
  • ✅ Existing SourceBindingTest tests use 'ConductionNL' / 'openregister' — both pass the new regex (alphanumerics)
  • Re-runs in this PR's CI

Provenance

Test plan

  • CI green
  • Manual smoke: SourceBinding::github('ConductionNL', 'openregister') constructs cleanly
  • Manual: SourceBinding::github('ConductionNL', '../../../etc') throws InvalidArgumentException

Hydra Pipeline and others added 2 commits May 2, 2026 16:29
… SourceBinding

Two findings from Clyde Barcode's full-branch security audit on PR #29
(see #32 for the tracking issue, the verdict
comments on PR #29, and the dogfood context).

1. SSRF defence-in-depth — ExternalReleaseInstallerService.php
   authenticatedDownload() and verifyChecksum() fetched URLs from the
   GitHub API browser_download_url field without
   'nextcloud' => ['allow_local_address' => false]. A malicious release
   in a trusted-source-listed repo could redirect the download to an
   internal address, forwarding the PAT Bearer token. PatValidator
   already sets this option correctly — mirrored the pattern in both
   methods. (OWASP A10:2021)

2. Path-traversal guard — SourceBinding.php
   The constructor accepted any string for owner/repo. fnmatch in
   TrustedSourceList lets `*` match `/`, so `ConductionNL/../../../x`
   passes the allowlist. Adding preg_match validation to the constructor
   rejects invalid characters at the boundary; charset matches GitHub's
   own owner/repo rules (alphanumerics, dot, dash, underscore).
   (CWE-22 / OWASP A01:2021)

Both fixes mirror Conduction's existing patterns in the same app and
do not introduce new dependencies. Bounded mechanical changes, no
behaviour change for legitimate inputs.

Bundles 31 SPDX header additions + the gate-9 #[NoAdminRequired] batch
removal from Juan Claude van Damme's earlier review run (commit 1cc7df9
on the pr-branch ref) in the same PR.
@rubenvdlinde rubenvdlinde merged commit b4104e9 into development May 2, 2026
1 of 7 checks passed
@rubenvdlinde rubenvdlinde deleted the chore/apply-hydra-quality-fixes branch May 2, 2026 21:21
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant