fix(caldav): stricter default calendar checks

Reject calendars that

- are subscriptions

- are not writable

- are shared with a user

- are deleted

- don't support VEVENTs

Signed-off-by: Richard Steinmetz <richard@steinmetz.cloud>

[skip ci]

Author: st3iny

apps/dav/appinfo/v1/caldav.php

@@ -29,6 +29,7 @@
 use OC\KnownUser\KnownUserService;
 use OCA\DAV\CalDAV\CalDavBackend;
 use OCA\DAV\CalDAV\CalendarRoot;
+use OCA\DAV\CalDAV\DefaultCalendarValidator;
 use OCA\DAV\CalDAV\Security\RateLimitingPlugin;
 use OCA\DAV\CalDAV\Validation\CalDavValidatePlugin;
 use OCA\DAV\Connector\LegacyDAVACL;
@@ -112,7 +113,7 @@
 
 $server->addPlugin(new \Sabre\DAV\Sync\Plugin());
 $server->addPlugin(new \Sabre\CalDAV\ICSExportPlugin());
-$server->addPlugin(new \OCA\DAV\CalDAV\Schedule\Plugin(\OC::$server->getConfig(), \OC::$server->get(LoggerInterface::class)));
+$server->addPlugin(new \OCA\DAV\CalDAV\Schedule\Plugin(\OC::$server->getConfig(), \OC::$server->get(LoggerInterface::class), \OC::$server->get(DefaultCalendarValidator::class)));
 
 if ($sendInvitations) {
 	$server->addPlugin(\OC::$server->query(\OCA\DAV\CalDAV\Schedule\IMipPlugin::class));

apps/dav/composer/composer/autoload_classmap.php

@@ -58,6 +58,7 @@
     'OCA\\DAV\\CalDAV\\CalendarObject' => $baseDir . '/../lib/CalDAV/CalendarObject.php',
     'OCA\\DAV\\CalDAV\\CalendarProvider' => $baseDir . '/../lib/CalDAV/CalendarProvider.php',
     'OCA\\DAV\\CalDAV\\CalendarRoot' => $baseDir . '/../lib/CalDAV/CalendarRoot.php',
+    'OCA\\DAV\\CalDAV\\DefaultCalendarValidator' => $baseDir . '/../lib/CalDAV/DefaultCalendarValidator.php',
     'OCA\\DAV\\CalDAV\\EventComparisonService' => $baseDir . '/../lib/CalDAV/EventComparisonService.php',
     'OCA\\DAV\\CalDAV\\FreeBusy\\FreeBusyGenerator' => $baseDir . '/../lib/CalDAV/FreeBusy/FreeBusyGenerator.php',
     'OCA\\DAV\\CalDAV\\ICSExportPlugin\\ICSExportPlugin' => $baseDir . '/../lib/CalDAV/ICSExportPlugin/ICSExportPlugin.php',

apps/dav/composer/composer/autoload_static.php

@@ -73,6 +73,7 @@ class ComposerStaticInitDAV
         'OCA\\DAV\\CalDAV\\CalendarObject' => __DIR__ . '/..' . '/../lib/CalDAV/CalendarObject.php',
         'OCA\\DAV\\CalDAV\\CalendarProvider' => __DIR__ . '/..' . '/../lib/CalDAV/CalendarProvider.php',
         'OCA\\DAV\\CalDAV\\CalendarRoot' => __DIR__ . '/..' . '/../lib/CalDAV/CalendarRoot.php',
+        'OCA\\DAV\\CalDAV\\DefaultCalendarValidator' => __DIR__ . '/..' . '/../lib/CalDAV/DefaultCalendarValidator.php',
         'OCA\\DAV\\CalDAV\\EventComparisonService' => __DIR__ . '/..' . '/../lib/CalDAV/EventComparisonService.php',
         'OCA\\DAV\\CalDAV\\FreeBusy\\FreeBusyGenerator' => __DIR__ . '/..' . '/../lib/CalDAV/FreeBusy/FreeBusyGenerator.php',
         'OCA\\DAV\\CalDAV\\ICSExportPlugin\\ICSExportPlugin' => __DIR__ . '/..' . '/../lib/CalDAV/ICSExportPlugin/ICSExportPlugin.php',

apps/dav/lib/CalDAV/DefaultCalendarValidator.php

@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\DAV\CalDAV;
+
+use Sabre\DAV\Exception as DavException;
+
+class DefaultCalendarValidator {
+	/**
+	 * Check if a given Calendar node is suitable to be used as the default calendar for scheduling.
+	 *
+	 * @throws DavException If the calendar is not suitable to be used as the default calendar
+	 */
+	public function validateScheduleDefaultCalendar(Calendar $calendar): void {
+		// Sanity checks for a calendar that should handle invitations
+		if ($calendar->isSubscription()
+			|| !$calendar->canWrite()
+			|| $calendar->isShared()
+			|| $calendar->isDeleted()) {
+			throw new DavException('Calendar is a subscription, not writable, shared or deleted');
+		}
+
+		// Calendar must support VEVENTs
+		$sCCS = '{urn:ietf:params:xml:ns:caldav}supported-calendar-component-set';
+		$calendarProperties = $calendar->getProperties([$sCCS]);
+		if (isset($calendarProperties[$sCCS])) {
+			$supportedComponents = $calendarProperties[$sCCS]->getValue();
+		} else {
+			$supportedComponents = ['VJOURNAL', 'VTODO', 'VEVENT'];
+		}
+		if (!in_array('VEVENT', $supportedComponents, true)) {
+			throw new DavException('Calendar does not support VEVENT components');
+		}
+	}
+}

apps/dav/lib/CalDAV/InvitationResponse/InvitationResponseServer.php

@@ -28,6 +28,7 @@
 use OCA\DAV\AppInfo\PluginManager;
 use OCA\DAV\CalDAV\Auth\CustomPrincipalPlugin;
 use OCA\DAV\CalDAV\Auth\PublicPrincipalPlugin;
+use OCA\DAV\CalDAV\DefaultCalendarValidator;
 use OCA\DAV\Connector\Sabre\AnonymousOptionsPlugin;
 use OCA\DAV\Connector\Sabre\BlockLegacyClientPlugin;
 use OCA\DAV\Connector\Sabre\CachingTree;
@@ -89,7 +90,7 @@ public function __construct(bool $public = true) {
 		// calendar plugins
 		$this->server->addPlugin(new \OCA\DAV\CalDAV\Plugin());
 		$this->server->addPlugin(new \Sabre\CalDAV\ICSExportPlugin());
-		$this->server->addPlugin(new \OCA\DAV\CalDAV\Schedule\Plugin(\OC::$server->getConfig(), \OC::$server->get(LoggerInterface::class)));
+		$this->server->addPlugin(new \OCA\DAV\CalDAV\Schedule\Plugin(\OC::$server->getConfig(), \OC::$server->get(LoggerInterface::class), \OC::$server->get(DefaultCalendarValidator::class)));
 		$this->server->addPlugin(new \Sabre\CalDAV\Subscriptions\Plugin());
 		$this->server->addPlugin(new \Sabre\CalDAV\Notifications\Plugin());
 		//$this->server->addPlugin(new \OCA\DAV\DAV\Sharing\Plugin($authBackend, \OC::$server->getRequest()));

apps/dav/lib/CalDAV/Schedule/Plugin.php

@@ -33,11 +33,13 @@
 use OCA\DAV\CalDAV\CalDavBackend;
 use OCA\DAV\CalDAV\Calendar;
 use OCA\DAV\CalDAV\CalendarHome;
+use OCA\DAV\CalDAV\DefaultCalendarValidator;
 use OCP\IConfig;
 use Psr\Log\LoggerInterface;
 use Sabre\CalDAV\ICalendar;
 use Sabre\CalDAV\ICalendarObject;
 use Sabre\CalDAV\Schedule\ISchedulingObject;
+use Sabre\DAV\Exception as DavException;
 use Sabre\DAV\INode;
 use Sabre\DAV\IProperties;
 use Sabre\DAV\PropFind;
@@ -75,13 +77,15 @@ class Plugin extends \Sabre\CalDAV\Schedule\Plugin {
 	public const CALENDAR_USER_TYPE = '{' . self::NS_CALDAV . '}calendar-user-type';
 	public const SCHEDULE_DEFAULT_CALENDAR_URL = '{' . Plugin::NS_CALDAV . '}schedule-default-calendar-URL';
 	private LoggerInterface $logger;
+	private DefaultCalendarValidator $defaultCalendarValidator;
 
 	/**
 	 * @param IConfig $config
 	 */
-	public function __construct(IConfig $config, LoggerInterface $logger) {
+	public function __construct(IConfig $config, LoggerInterface $logger, DefaultCalendarValidator $defaultCalendarValidator) {
 		$this->config = $config;
 		$this->logger = $logger;
+		$this->defaultCalendarValidator = $defaultCalendarValidator;
 	}
 
 	/**
@@ -384,11 +388,20 @@ public function propFindDefaultCalendarUrl(PropFind $propFind, INode $node) {
 						 * - isn't a calendar subscription
 						 * - user can write to it (no virtual/3rd-party calendars)
 						 * - calendar isn't a share
+						 * - calendar supports VEVENTs
 						 */
 						foreach ($calendarHome->getChildren() as $node) {
-							if ($node instanceof Calendar && !$node->isSubscription() && $node->canWrite() && !$node->isShared() && !$node->isDeleted()) {
-								$userCalendars[] = $node;
+							if (!($node instanceof Calendar)) {
+								continue;
 							}
+
+							try {
+								$this->defaultCalendarValidator->validateScheduleDefaultCalendar($node);
+							} catch (DavException $e) {
+								continue;
+							}
+
+							$userCalendars[] = $node;
 						}
 
 						if (count($userCalendars) > 0) {

apps/dav/lib/Connector/Sabre/ServerFactory.php

@@ -32,6 +32,7 @@
 namespace OCA\DAV\Connector\Sabre;
 
 use OCA\DAV\AppInfo\PluginManager;
+use OCA\DAV\CalDAV\DefaultCalendarValidator;
 use OCA\DAV\DAV\ViewOnlyPlugin;
 use OCA\DAV\Files\BrowserErrorPagePlugin;
 use OCP\EventDispatcher\IEventDispatcher;
@@ -191,7 +192,8 @@ public function createServer(string $baseUri,
 							$server,
 							$objectTree,
 							$this->databaseConnection,
-							$this->userSession->getUser()
+							$this->userSession->getUser(),
+							\OC::$server->get(DefaultCalendarValidator::class),
 						)
 					)
 				);

apps/dav/lib/DAV/CustomPropertiesBackend.php

@@ -27,12 +27,13 @@
 namespace OCA\DAV\DAV;
 
 use Exception;
+use OCA\DAV\CalDAV\Calendar;
+use OCA\DAV\CalDAV\DefaultCalendarValidator;
 use OCA\DAV\Connector\Sabre\Directory;
 use OCA\DAV\Connector\Sabre\FilesPlugin;
 use OCP\DB\QueryBuilder\IQueryBuilder;
 use OCP\IDBConnection;
 use OCP\IUser;
-use Sabre\CalDAV\ICalendar;
 use Sabre\DAV\Exception as DavException;
 use Sabre\DAV\PropertyStorage\Backend\BackendInterface;
 use Sabre\DAV\PropFind;
@@ -154,6 +155,7 @@ class CustomPropertiesBackend implements BackendInterface {
 
 	private Server $server;
 	private XmlService $xmlService;
+	private DefaultCalendarValidator $defaultCalendarValidator;
 
 	/**
 	 * @param Tree $tree node tree
@@ -165,6 +167,7 @@ public function __construct(
 		Tree $tree,
 		IDBConnection $connection,
 		IUser $user,
+		DefaultCalendarValidator $defaultCalendarValidator,
 	) {
 		$this->server = $server;
 		$this->tree = $tree;
@@ -175,6 +178,7 @@ public function __construct(
 			$this->xmlService->elementMap,
 			self::COMPLEX_XML_ELEMENT_MAP,
 		);
+		$this->defaultCalendarValidator = $defaultCalendarValidator;
 	}
 
 	/**
@@ -338,10 +342,11 @@ private function validateProperty(string $path, string $propName, mixed $propVal
 
 				// $path is the principal here as this prop is only set on principals
 				$node = $this->tree->getNodeForPath($href);
-				if (!($node instanceof ICalendar) || $node->getOwner() !== $path) {
+				if (!($node instanceof Calendar) || $node->getOwner() !== $path) {
 					throw new DavException('No such calendar');
 				}
 
+				$this->defaultCalendarValidator->validateScheduleDefaultCalendar($node);
 				break;
 		}
 	}

apps/dav/lib/Server.php

@@ -286,7 +286,8 @@ public function __construct(IRequest $request, string $baseUri) {
 							$this->server,
 							$this->server->tree,
 							\OC::$server->getDatabaseConnection(),
-							\OC::$server->getUserSession()->getUser()
+							\OC::$server->getUserSession()->getUser(),
+							\OC::$server->get(DefaultCalendarValidator::class),
 						)
 					)
 				);

apps/dav/tests/unit/CalDAV/DefaultCalendarValidatorTest.php

@@ -0,0 +1,171 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\DAV\Tests\unit\CalDAV;
+
+use OCA\DAV\CalDAV\Calendar;
+use OCA\DAV\CalDAV\DefaultCalendarValidator;
+use Sabre\CalDAV\Xml\Property\SupportedCalendarComponentSet;
+use Test\TestCase;
+
+class DefaultCalendarValidatorTest extends TestCase {
+	private DefaultCalendarValidator $validator;
+
+	protected function setUp(): void {
+		parent::setUp();
+
+		$this->validator = new DefaultCalendarValidator();
+	}
+
+	public function testValidateScheduleDefaultCalendar(): void {
+		$node = $this->createMock(Calendar::class);
+		$node->expects(self::once())
+			->method('isSubscription')
+			->willReturn(false);
+		$node->expects(self::once())
+			->method('canWrite')
+			->willReturn(true);
+		$node->expects(self::once())
+			->method('isShared')
+			->willReturn(false);
+		$node->expects(self::once())
+			->method('isDeleted')
+			->willReturn(false);
+		$node->expects(self::once())
+			->method('getProperties')
+			->willReturn([
+				'{urn:ietf:params:xml:ns:caldav}supported-calendar-component-set' => new SupportedCalendarComponentSet(['VEVENT']),
+			]);
+
+		$this->validator->validateScheduleDefaultCalendar($node);
+	}
+
+	public function testValidateScheduleDefaultCalendarWithEmptyProperties(): void {
+		$node = $this->createMock(Calendar::class);
+		$node->expects(self::once())
+			->method('isSubscription')
+			->willReturn(false);
+		$node->expects(self::once())
+			->method('canWrite')
+			->willReturn(true);
+		$node->expects(self::once())
+			->method('isShared')
+			->willReturn(false);
+		$node->expects(self::once())
+			->method('isDeleted')
+			->willReturn(false);
+		$node->expects(self::once())
+			->method('getProperties')
+			->willReturn([]);
+
+		$this->validator->validateScheduleDefaultCalendar($node);
+	}
+
+	public function testValidateScheduleDefaultCalendarWithSubscription(): void {
+		$node = $this->createMock(Calendar::class);
+		$node->expects(self::once())
+			->method('isSubscription')
+			->willReturn(true);
+		$node->expects(self::never())
+			->method('canWrite');
+		$node->expects(self::never())
+			->method('isShared');
+		$node->expects(self::never())
+			->method('isDeleted');
+		$node->expects(self::never())
+			->method('getProperties');
+
+		$this->expectException(\Sabre\DAV\Exception::class);
+		$this->validator->validateScheduleDefaultCalendar($node);
+	}
+
+	public function testValidateScheduleDefaultCalendarWithoutWrite(): void {
+		$node = $this->createMock(Calendar::class);
+		$node->expects(self::once())
+			->method('isSubscription')
+			->willReturn(false);
+		$node->expects(self::once())
+			->method('canWrite')
+			->willReturn(false);
+		$node->expects(self::never())
+			->method('isShared');
+		$node->expects(self::never())
+			->method('isDeleted');
+		$node->expects(self::never())
+			->method('getProperties');
+
+		$this->expectException(\Sabre\DAV\Exception::class);
+		$this->validator->validateScheduleDefaultCalendar($node);
+	}
+
+	public function testValidateScheduleDefaultCalendarWithShared(): void {
+		$node = $this->createMock(Calendar::class);
+		$node->expects(self::once())
+			->method('isSubscription')
+			->willReturn(false);
+		$node->expects(self::once())
+			->method('canWrite')
+			->willReturn(true);
+		$node->expects(self::once())
+			->method('isShared')
+			->willReturn(true);
+		$node->expects(self::never())
+			->method('isDeleted');
+		$node->expects(self::never())
+			->method('getProperties');
+
+		$this->expectException(\Sabre\DAV\Exception::class);
+		$this->validator->validateScheduleDefaultCalendar($node);
+	}
+
+	public function testValidateScheduleDefaultCalendarWithDeleted(): void {
+		$node = $this->createMock(Calendar::class);
+		$node->expects(self::once())
+			->method('isSubscription')
+			->willReturn(false);
+		$node->expects(self::once())
+			->method('canWrite')
+			->willReturn(true);
+		$node->expects(self::once())
+			->method('isShared')
+			->willReturn(false);
+		$node->expects(self::once())
+			->method('isDeleted')
+			->willReturn(true);
+		$node->expects(self::never())
+			->method('getProperties');
+
+		$this->expectException(\Sabre\DAV\Exception::class);
+		$this->validator->validateScheduleDefaultCalendar($node);
+	}
+
+	public function testValidateScheduleDefaultCalendarWithoutVeventSupport(): void {
+		$node = $this->createMock(Calendar::class);
+		$node->expects(self::once())
+			->method('isSubscription')
+			->willReturn(false);
+		$node->expects(self::once())
+			->method('canWrite')
+			->willReturn(true);
+		$node->expects(self::once())
+			->method('isShared')
+			->willReturn(false);
+		$node->expects(self::once())
+			->method('isDeleted')
+			->willReturn(false);
+		$node->expects(self::once())
+			->method('getProperties')
+			->willReturn([
+				'{urn:ietf:params:xml:ns:caldav}supported-calendar-component-set' => new SupportedCalendarComponentSet(['VTODO']),
+			]);
+
+		$this->expectException(\Sabre\DAV\Exception::class);
+		$this->validator->validateScheduleDefaultCalendar($node);
+	}
+}