Merge pull request #50052 from nextcloud/fix/files_sharing/harden-api

Author: provokateurin

apps/files_sharing/lib/Controller/DeletedShareAPIController.php

@@ -38,7 +38,7 @@ public function __construct(
 		string $appName,
 		IRequest $request,
 		private ShareManager $shareManager,
-		private string $userId,
+		private ?string $userId,
 		private IUserManager $userManager,
 		private IGroupManager $groupManager,
 		private IRootFolder $rootFolder,

apps/files_sharing/lib/Controller/ShareesAPIController.php

@@ -66,19 +66,10 @@ class ShareesAPIController extends OCSController {
 
 	protected $reachedEndFor = [];
 
-	/**
-	 * @param string $UserId
-	 * @param string $appName
-	 * @param IRequest $request
-	 * @param IConfig $config
-	 * @param IURLGenerator $urlGenerator
-	 * @param IManager $shareManager
-	 * @param ISearch $collaboratorSearch
-	 */
 	public function __construct(
 		string $appName,
 		IRequest $request,
-		protected string $userId,
+		protected ?string $userId,
 		protected IConfig $config,
 		protected IURLGenerator $urlGenerator,
 		protected IManager $shareManager,

apps/files_sharing/lib/External/Manager.php

@@ -160,13 +160,7 @@ private function writeShareToDb($remote, $token, $password, $name, $owner, $user
 		$query->execute([$remote, $token, $password, $name, $owner, $user, $mountPoint, $hash, $accepted, $remoteId, $parent, $shareType]);
 	}
 
-	/**
-	 * get share
-	 *
-	 * @param int $id share id
-	 * @return mixed share of false
-	 */
-	private function fetchShare($id) {
+	private function fetchShare(int $id): array|false {
 		$getShare = $this->connection->prepare('
 			SELECT `id`, `remote`, `remote_id`, `share_token`, `name`, `owner`, `user`, `mountpoint`, `accepted`, `parent`, `share_type`, `password`, `mountpoint_hash`
 			FROM  `*PREFIX*share_external`
@@ -208,15 +202,12 @@ private function fetchUserShare($parentId, $uid) {
 		return null;
 	}
 
-	/**
-	 * get share
-	 *
-	 * @param int $id share id
-	 * @return mixed share of false
-	 */
 	public function getShare(int $id, ?string $user = null): array|false {
 		$user = $user ?? $this->uid;
 		$share = $this->fetchShare($id);
+		if ($share === false) {
+			return false;
+		}
 
 		// check if the user is allowed to access it
 		if ($this->canAccessShare($share, $user)) {
@@ -256,7 +247,7 @@ private function canAccessShare(array $share, string $user): bool {
 			&& $share['user'] === $user) {
 			return true;
 		}
-		
+
 		// If the share is a group share, check if the user is in the group
 		if ((int)$share['share_type'] === IShare::TYPE_GROUP) {
 			$parentId = (int)$share['parent'];

apps/files_sharing/lib/ResponseDefinitions.php

@@ -99,7 +99,6 @@
  * }
  *
  * @psalm-type Files_SharingSharee = array{
- *     count: int|null,
  *     label: string,
  * }
  *
@@ -108,6 +107,14 @@
  *     shareWith: string,
  * }
  *
+ * @psalm-type Files_SharingShareeGroup = Files_SharingSharee&array{
+ *     value: Files_SharingShareeValue,
+ * }
+ *
+ * @psalm-type Files_SharingShareeRoom = Files_SharingSharee&array{
+ *     value: Files_SharingShareeValue,
+ * }
+ *
  * @psalm-type Files_SharingShareeUser = Files_SharingSharee&array{
  *     subline: string,
  *     icon: string,
@@ -180,33 +187,33 @@
  *     exact: array{
  *         circles: list<Files_SharingShareeCircle>,
  *         emails: list<Files_SharingShareeEmail>,
- *         groups: list<Files_SharingSharee>,
+ *         groups: list<Files_SharingShareeGroup>,
  *         remote_groups: list<Files_SharingShareeRemoteGroup>,
  *         remotes: list<Files_SharingShareeRemote>,
- *         rooms: list<Files_SharingSharee>,
+ *         rooms: list<Files_SharingShareeRoom>,
  *         users: list<Files_SharingShareeUser>,
  *     },
  *     circles: list<Files_SharingShareeCircle>,
  *     emails: list<Files_SharingShareeEmail>,
- *     groups: list<Files_SharingSharee>,
+ *     groups: list<Files_SharingShareeGroup>,
  *     lookup: list<Files_SharingShareeLookup>,
  *     remote_groups: list<Files_SharingShareeRemoteGroup>,
  *     remotes: list<Files_SharingShareeRemote>,
- *     rooms: list<Files_SharingSharee>,
+ *     rooms: list<Files_SharingShareeRoom>,
  *     users: list<Files_SharingShareeUser>,
  *     lookupEnabled: bool,
  * }
  *
  * @psalm-type Files_SharingShareesRecommendedResult = array{
  *     exact: array{
  *         emails: list<Files_SharingShareeEmail>,
- *         groups: list<Files_SharingSharee>,
+ *         groups: list<Files_SharingShareeGroup>,
  *         remote_groups: list<Files_SharingShareeRemoteGroup>,
  *         remotes: list<Files_SharingShareeRemote>,
  *         users: list<Files_SharingShareeUser>,
  *     },
  *     emails: list<Files_SharingShareeEmail>,
- *     groups: list<Files_SharingSharee>,
+ *     groups: list<Files_SharingShareeGroup>,
  *     remote_groups: list<Files_SharingShareeRemoteGroup>,
  *     remotes: list<Files_SharingShareeRemote>,
  *     users: list<Files_SharingShareeUser>,

apps/files_sharing/openapi.json

@@ -766,15 +766,9 @@
             "Sharee": {
                 "type": "object",
                 "required": [
-                    "count",
                     "label"
                 ],
                 "properties": {
-                    "count": {
-                        "type": "integer",
-                        "format": "int64",
-                        "nullable": true
-                    },
                     "label": {
                         "type": "string"
                     }
@@ -851,6 +845,24 @@
                     }
                 ]
             },
+            "ShareeGroup": {
+                "allOf": [
+                    {
+                        "$ref": "#/components/schemas/Sharee"
+                    },
+                    {
+                        "type": "object",
+                        "required": [
+                            "value"
+                        ],
+                        "properties": {
+                            "value": {
+                                "$ref": "#/components/schemas/ShareeValue"
+                            }
+                        }
+                    }
+                ]
+            },
             "ShareeLookup": {
                 "allOf": [
                     {
@@ -1027,6 +1039,24 @@
                     }
                 ]
             },
+            "ShareeRoom": {
+                "allOf": [
+                    {
+                        "$ref": "#/components/schemas/Sharee"
+                    },
+                    {
+                        "type": "object",
+                        "required": [
+                            "value"
+                        ],
+                        "properties": {
+                            "value": {
+                                "$ref": "#/components/schemas/ShareeValue"
+                            }
+                        }
+                    }
+                ]
+            },
             "ShareeUser": {
                 "allOf": [
                     {
@@ -1129,7 +1159,7 @@
                             "groups": {
                                 "type": "array",
                                 "items": {
-                                    "$ref": "#/components/schemas/Sharee"
+                                    "$ref": "#/components/schemas/ShareeGroup"
                                 }
                             },
                             "remote_groups": {
@@ -1161,7 +1191,7 @@
                     "groups": {
                         "type": "array",
                         "items": {
-                            "$ref": "#/components/schemas/Sharee"
+                            "$ref": "#/components/schemas/ShareeGroup"
                         }
                     },
                     "remote_groups": {
@@ -1226,7 +1256,7 @@
                             "groups": {
                                 "type": "array",
                                 "items": {
-                                    "$ref": "#/components/schemas/Sharee"
+                                    "$ref": "#/components/schemas/ShareeGroup"
                                 }
                             },
                             "remote_groups": {
@@ -1244,7 +1274,7 @@
                             "rooms": {
                                 "type": "array",
                                 "items": {
-                                    "$ref": "#/components/schemas/Sharee"
+                                    "$ref": "#/components/schemas/ShareeRoom"
                                 }
                             },
                             "users": {
@@ -1270,7 +1300,7 @@
                     "groups": {
                         "type": "array",
                         "items": {
-                            "$ref": "#/components/schemas/Sharee"
+                            "$ref": "#/components/schemas/ShareeGroup"
                         }
                     },
                     "lookup": {
@@ -1294,7 +1324,7 @@
                     "rooms": {
                         "type": "array",
                         "items": {
-                            "$ref": "#/components/schemas/Sharee"
+                            "$ref": "#/components/schemas/ShareeRoom"
                         }
                     },
                     "users": {

lib/private/Files/Utils/PathHelper.php

@@ -37,6 +37,8 @@ public static function normalizePath(string $path): string {
 		if ($path === '' or $path === '/') {
 			return '/';
 		}
+		// No null bytes
+		$path = str_replace(chr(0), '', $path);
 		//no windows style slashes
 		$path = str_replace('\\', '/', $path);
 		//add leading slash