From 3a15e09ed184f90e21c3d264ec966b555ee628a4 Mon Sep 17 00:00:00 2001 From: Michael Barz Date: Thu, 6 Jun 2024 11:05:59 +0200 Subject: [PATCH 1/5] chore: update reva to latest edge --- changelog/unreleased/bump-reva.md | 1 + go.mod | 2 +- go.sum | 2 ++ .../http/services/owncloud/ocdav/get.go | 22 ++++++++++++----- .../http/services/owncloud/ocdav/ocdav.go | 24 ------------------- vendor/modules.txt | 2 +- 6 files changed, 21 insertions(+), 32 deletions(-) diff --git a/changelog/unreleased/bump-reva.md b/changelog/unreleased/bump-reva.md index e0c4122fe1..bbae000324 100644 --- a/changelog/unreleased/bump-reva.md +++ b/changelog/unreleased/bump-reva.md @@ -2,6 +2,7 @@ Enhancement: Bump Reva bumps reva version +https://github.com/owncloud/ocis/pull/9330 https://github.com/owncloud/ocis/pull/9318 https://github.com/owncloud/ocis/pull/9269 https://github.com/owncloud/ocis/pull/9236 diff --git a/go.mod b/go.mod index e77add72de..67ee1e5150 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/cenkalti/backoff v2.2.1+incompatible github.com/coreos/go-oidc/v3 v3.10.0 github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 - github.com/cs3org/reva/v2 v2.19.2-0.20240604132648-408bb6433068 + github.com/cs3org/reva/v2 v2.19.2-0.20240606075653-a7a1d2d2dace github.com/dhowden/tag v0.0.0-20230630033851-978a0926ee25 github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e github.com/egirna/icap-client v0.1.1 diff --git a/go.sum b/go.sum index 3714d2e38e..74e27f59db 100644 --- a/go.sum +++ b/go.sum @@ -1027,6 +1027,8 @@ github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 h1:BUdwkIlf8IS2F github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY= github.com/cs3org/reva/v2 v2.19.2-0.20240604132648-408bb6433068 h1:DAmvibMtV7HxsQoG3jfwm78XftA/js0ECuv1pelSON8= github.com/cs3org/reva/v2 v2.19.2-0.20240604132648-408bb6433068/go.mod h1:lKqw0VuP1NcZbhj0e6tGoAGq3tgWO/pLafVJyDK0yVI= +github.com/cs3org/reva/v2 v2.19.2-0.20240606075653-a7a1d2d2dace h1:zK+0QyrqRBwdRthUbXTyDhxZIMZlNJPzGr0+bmyU++0= +github.com/cs3org/reva/v2 v2.19.2-0.20240606075653-a7a1d2d2dace/go.mod h1:lKqw0VuP1NcZbhj0e6tGoAGq3tgWO/pLafVJyDK0yVI= github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4= github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/get.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/get.go index 191d9cc043..ae5670502b 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/get.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/get.go @@ -131,7 +131,19 @@ func (s *svc) handleGet(ctx context.Context, w http.ResponseWriter, r *http.Requ } defer httpRes.Body.Close() - copyHeader(w.Header(), httpRes.Header) + // copy only the headers relevant for the content served by the datagateway + // more headers are already present from the GET request + copyHeader(w.Header(), httpRes.Header, net.HeaderContentType) + copyHeader(w.Header(), httpRes.Header, net.HeaderContentLength) + copyHeader(w.Header(), httpRes.Header, net.HeaderContentRange) + copyHeader(w.Header(), httpRes.Header, net.HeaderOCFileID) + copyHeader(w.Header(), httpRes.Header, net.HeaderOCETag) + copyHeader(w.Header(), httpRes.Header, net.HeaderOCChecksum) + copyHeader(w.Header(), httpRes.Header, net.HeaderETag) + copyHeader(w.Header(), httpRes.Header, net.HeaderLastModified) + copyHeader(w.Header(), httpRes.Header, net.HeaderAcceptRanges) + copyHeader(w.Header(), httpRes.Header, net.HeaderContentDisposistion) + w.WriteHeader(httpRes.StatusCode) if httpRes.StatusCode != http.StatusOK && httpRes.StatusCode != http.StatusPartialContent { @@ -156,11 +168,9 @@ func (s *svc) handleGet(ctx context.Context, w http.ResponseWriter, r *http.Requ // TODO we need to send the If-Match etag in the GET to the datagateway to prevent race conditions between stating and reading the file } -func copyHeader(dst, src http.Header) { - for key, values := range src { - for i := range values { - dst.Add(key, values[i]) - } +func copyHeader(dist, src http.Header, header string) { + if src.Get(header) != "" { + dist.Set(header, src.Get(header)) } } diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/ocdav.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/ocdav.go index d3cab17bec..ae4056e96e 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/ocdav.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/ocdav.go @@ -165,8 +165,6 @@ func (s *svc) Handler() http.Handler { ctx := r.Context() log := appctx.GetLogger(ctx) - addAccessHeaders(w, r) - // TODO(jfd): do we need this? // fake litmus testing for empty namespace: see https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/webdav/litmus_test_server.go#L58-L89 if r.Header.Get(net.HeaderLitmus) == "props: 3 (propfind_invalid2)" { @@ -284,28 +282,6 @@ func (s *svc) ApplyLayout(ctx context.Context, ns string, useLoggedInUserNS bool return templates.WithUser(u, ns), requestPath, nil } -func addAccessHeaders(w http.ResponseWriter, r *http.Request) { - headers := w.Header() - // all resources served via the DAV endpoint should have the strictest possible as default - headers.Set("Content-Security-Policy", "default-src 'none';") - // disable sniffing the content type for IE - headers.Set("X-Content-Type-Options", "nosniff") - // https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx - headers.Set("X-Download-Options", "noopen") - // Disallow iFraming from other domains - headers.Set("X-Frame-Options", "SAMEORIGIN") - // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html - headers.Set("X-Permitted-Cross-Domain-Policies", "none") - // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag - headers.Set("X-Robots-Tag", "none") - // enforce browser based XSS filters - headers.Set("X-XSS-Protection", "1; mode=block") - - if r.TLS != nil { - headers.Set("Strict-Transport-Security", "max-age=63072000") - } -} - func authContextForUser(client gateway.GatewayAPIClient, userID *userpb.UserId, machineAuthAPIKey string) (context.Context, error) { if machineAuthAPIKey == "" { return nil, errtypes.NotSupported("machine auth not configured") diff --git a/vendor/modules.txt b/vendor/modules.txt index 719b4531ff..3f679cedba 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -366,7 +366,7 @@ github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1 github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1 github.com/cs3org/go-cs3apis/cs3/tx/v1beta1 github.com/cs3org/go-cs3apis/cs3/types/v1beta1 -# github.com/cs3org/reva/v2 v2.19.2-0.20240604132648-408bb6433068 +# github.com/cs3org/reva/v2 v2.19.2-0.20240606075653-a7a1d2d2dace ## explicit; go 1.21 github.com/cs3org/reva/v2/cmd/revad/internal/grace github.com/cs3org/reva/v2/cmd/revad/runtime From 817b6e3e9692fd2a8b814f1ff5098f257a9c9b57 Mon Sep 17 00:00:00 2001 From: Michael Barz Date: Thu, 6 Jun 2024 13:46:15 +0200 Subject: [PATCH 2/5] tests: fix test expectations for multipart --- .../features/coreApiWebdavOperations/downloadFile.feature | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature b/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature index 4fcc3c5665..a28d659575 100644 --- a/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature +++ b/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature @@ -167,13 +167,13 @@ Feature: download file | Content-Type | /^multipart\/byteranges; boundary=[a-zA-Z0-9_.-]*$/ | And if the HTTP status code was "206" then the downloaded content for multipart byterange should be: """ - Content-type: text/plain;charset=UTF-8 - Content-range: bytes 0-6/52 + Content-Range: bytes 0-6/52 + Content-Type: text/plain;charset=UTF-8 Welcome - Content-type: text/plain;charset=UTF-8 - Content-range: bytes 40-51/52 + Content-Range: bytes 40-51/52 + Content-Type: text/plain;charset=UTF-8 developers. """ From ccb8228edd77838df725f0e127c8176746f0ef26 Mon Sep 17 00:00:00 2001 From: Michael Barz Date: Mon, 10 Jun 2024 17:20:38 +0200 Subject: [PATCH 3/5] fix: bump upstream sec middleware --- go.mod | 2 +- go.sum | 6 +-- services/proxy/pkg/middleware/security.go | 23 +++++---- vendor/github.com/unrolled/secure/secure.go | 53 ++++++++++++++------- vendor/modules.txt | 4 +- 5 files changed, 53 insertions(+), 35 deletions(-) diff --git a/go.mod b/go.mod index 67ee1e5150..7aa92cbc5c 100644 --- a/go.mod +++ b/go.mod @@ -363,7 +363,7 @@ replace github.com/studio-b12/gowebdav => github.com/aduffeck/gowebdav v0.0.0-20 replace github.com/egirna/icap-client => github.com/fschade/icap-client v0.0.0-20240123094924-5af178158eaf -replace github.com/unrolled/secure => github.com/DeepDiver1975/secure v0.0.0-20240424132259-5b29166734cb +replace github.com/unrolled/secure => github.com/DeepDiver1975/secure v0.0.0-20240610150357-80471eebce77 // exclude the v2 line of go-sqlite3 which was released accidentally and prevents pulling in newer versions of go-sqlite3 // see https://github.com/mattn/go-sqlite3/issues/965 for more details diff --git a/go.sum b/go.sum index 74e27f59db..f0046798f1 100644 --- a/go.sum +++ b/go.sum @@ -798,8 +798,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym github.com/CiscoM31/godata v1.0.10 h1:DZdJ6M8QNh4HquvDDOqNLu6h77Wl86KGK7Qlbmb90sk= github.com/CiscoM31/godata v1.0.10/go.mod h1:ZMiT6JuD3Rm83HEtiTx4JEChsd25YCrxchKGag/sdTc= github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= -github.com/DeepDiver1975/secure v0.0.0-20240424132259-5b29166734cb h1:Ugrv7ivJ035zunmhmGEBSXL76tyxRNH5XaBSQUTqf38= -github.com/DeepDiver1975/secure v0.0.0-20240424132259-5b29166734cb/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40= +github.com/DeepDiver1975/secure v0.0.0-20240610150357-80471eebce77 h1:UTzaEnOUHXYhF4SFARPcEownvFw8Kgg+oJv3N0pRI2g= +github.com/DeepDiver1975/secure v0.0.0-20240610150357-80471eebce77/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40= github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk= github.com/KimMachineGun/automemlimit v0.6.1 h1:ILa9j1onAAMadBsyyUJv5cack8Y1WT26yLj/V+ulKp8= github.com/KimMachineGun/automemlimit v0.6.1/go.mod h1:T7xYht7B8r6AG/AqFcUdc7fzd2bIdBKmepfP2S1svPY= @@ -1025,8 +1025,6 @@ github.com/crewjam/saml v0.4.14 h1:g9FBNx62osKusnFzs3QTN5L9CVA/Egfgm+stJShzw/c= github.com/crewjam/saml v0.4.14/go.mod h1:UVSZCf18jJkk6GpWNVqcyQJMD5HsRugBPf4I1nl2mME= github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 h1:BUdwkIlf8IS2FasrrPg8gGPHQPOrQ18MS1Oew2tmGtY= github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY= -github.com/cs3org/reva/v2 v2.19.2-0.20240604132648-408bb6433068 h1:DAmvibMtV7HxsQoG3jfwm78XftA/js0ECuv1pelSON8= -github.com/cs3org/reva/v2 v2.19.2-0.20240604132648-408bb6433068/go.mod h1:lKqw0VuP1NcZbhj0e6tGoAGq3tgWO/pLafVJyDK0yVI= github.com/cs3org/reva/v2 v2.19.2-0.20240606075653-a7a1d2d2dace h1:zK+0QyrqRBwdRthUbXTyDhxZIMZlNJPzGr0+bmyU++0= github.com/cs3org/reva/v2 v2.19.2-0.20240606075653-a7a1d2d2dace/go.mod h1:lKqw0VuP1NcZbhj0e6tGoAGq3tgWO/pLafVJyDK0yVI= github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4= diff --git a/services/proxy/pkg/middleware/security.go b/services/proxy/pkg/middleware/security.go index 414d9f5c6e..ef48abbe08 100644 --- a/services/proxy/pkg/middleware/security.go +++ b/services/proxy/pkg/middleware/security.go @@ -1,13 +1,14 @@ package middleware import ( + "net/http" + "os" + gofig "github.com/gookit/config/v2" "github.com/gookit/config/v2/yaml" "github.com/owncloud/ocis/v2/services/proxy/pkg/config" "github.com/unrolled/secure" "github.com/unrolled/secure/cspbuilder" - "net/http" - "os" ) // LoadCSPConfig loads CSP header configuration from a yaml file. @@ -54,14 +55,16 @@ func Security(cspConfig *config.CSP) func(h http.Handler) http.Handler { } secureMiddleware := secure.New(secure.Options{ - BrowserXssFilter: true, - ContentSecurityPolicy: cspBuilder.MustBuild(), - ContentTypeNosniff: true, - CustomFrameOptionsValue: "SAMEORIGIN", - FrameDeny: true, - ReferrerPolicy: "strict-origin-when-cross-origin", - STSSeconds: 315360000, - STSPreload: true, + BrowserXssFilter: true, + ContentSecurityPolicy: cspBuilder.MustBuild(), + ContentTypeNosniff: true, + CustomFrameOptionsValue: "SAMEORIGIN", + FrameDeny: true, + ReferrerPolicy: "strict-origin-when-cross-origin", + STSSeconds: 315360000, + STSPreload: true, + PermittedCrossDomainPolicies: "none", + RobotTag: "none", }) return func(next http.Handler) http.Handler { return secureMiddleware.Handler(next) diff --git a/vendor/github.com/unrolled/secure/secure.go b/vendor/github.com/unrolled/secure/secure.go index 0efcc617e4..4122dabfdc 100644 --- a/vendor/github.com/unrolled/secure/secure.go +++ b/vendor/github.com/unrolled/secure/secure.go @@ -11,22 +11,23 @@ import ( type secureCtxKey string const ( - stsHeader = "Strict-Transport-Security" - stsSubdomainString = "; includeSubDomains" - stsPreloadString = "; preload" - frameOptionsHeader = "X-Frame-Options" - frameOptionsValue = "DENY" - contentTypeHeader = "X-Content-Type-Options" - contentTypeValue = "nosniff" - xssProtectionHeader = "X-XSS-Protection" - xssProtectionValue = "1; mode=block" - cspHeader = "Content-Security-Policy" - cspReportOnlyHeader = "Content-Security-Policy-Report-Only" - hpkpHeader = "Public-Key-Pins" - referrerPolicyHeader = "Referrer-Policy" - featurePolicyHeader = "Feature-Policy" - permissionsPolicyHeader = "Permissions-Policy" - coopHeader = "Cross-Origin-Opener-Policy" + stsHeader = "Strict-Transport-Security" + stsSubdomainString = "; includeSubDomains" + stsPreloadString = "; preload" + frameOptionsHeader = "X-Frame-Options" + frameOptionsValue = "DENY" + contentTypeHeader = "X-Content-Type-Options" + contentTypeValue = "nosniff" + xssProtectionHeader = "X-XSS-Protection" + xssProtectionValue = "1; mode=block" + cspHeader = "Content-Security-Policy" + cspReportOnlyHeader = "Content-Security-Policy-Report-Only" + referrerPolicyHeader = "Referrer-Policy" + featurePolicyHeader = "Feature-Policy" + permissionsPolicyHeader = "Permissions-Policy" + coopHeader = "Cross-Origin-Opener-Policy" + robotTagHeader = "X-Robots-Tag" + permittedCrossDomainPoliciesHeader = "X-Permitted-Cross-Domain-Policies" ctxDefaultSecureHeaderKey = secureCtxKey("SecureResponseHeader") cspNonceSize = 16 @@ -65,7 +66,7 @@ type Options struct { SSLRedirect bool // If SSLForceHost is true and SSLHost is set, requests will be forced to use SSLHost even the ones that are already using SSL. Default is false. SSLForceHost bool - // If SSLTemporaryRedirect is true, the a 302 will be used while redirecting. Default is false (301). + // If SSLTemporaryRedirect is true, a 302 will be used while redirecting. Default is false (301). SSLTemporaryRedirect bool // If STSIncludeSubdomains is set to true, the `includeSubdomains` will be appended to the Strict-Transport-Security header. Default is false. STSIncludeSubdomains bool @@ -110,9 +111,15 @@ type Options struct { STSSeconds int64 // SecureContextKey allows a custom key to be specified for context storage. SecureContextKey string + // PermittedCrossDomainPolicies allows to set the X-Permitted-Cross-Domain-Policies header + // Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers + PermittedCrossDomainPolicies string + // RobotTag allows to set the X-Robot-Tag header + // Reference https://developers.google.com/search/docs/crawling-indexing/robots-meta-tag + RobotTag string } -// Secure is a middleware that helps setup a few basic security features. A single secure.Options struct can be +// Secure is a middleware that helps set up a few basic security features. A single secure.Options struct can be // provided to configure which features should be enabled, and the ability to override a few of the default values. type Secure struct { // Customize Secure with an Options struct. @@ -466,6 +473,16 @@ func (s *Secure) processRequest(w http.ResponseWriter, r *http.Request) (http.He responseHeader.Set(coopHeader, s.opt.CrossOriginOpenerPolicy) } + // X-Permitted-Cross-Domain-Policies + if len(s.opt.PermittedCrossDomainPolicies) > 0 { + responseHeader.Set(permittedCrossDomainPoliciesHeader, s.opt.PermittedCrossDomainPolicies) + } + + // X-Robots-Tag + if len(s.opt.RobotTag) > 0 { + responseHeader.Set(robotTagHeader, s.opt.RobotTag) + } + return responseHeader, r, nil } diff --git a/vendor/modules.txt b/vendor/modules.txt index 3f679cedba..c1ca299102 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1882,7 +1882,7 @@ github.com/trustelem/zxcvbn/scoring # github.com/tus/tusd v1.13.0 ## explicit; go 1.16 github.com/tus/tusd/pkg/handler -# github.com/unrolled/secure v1.14.0 => github.com/DeepDiver1975/secure v0.0.0-20240424132259-5b29166734cb +# github.com/unrolled/secure v1.14.0 => github.com/DeepDiver1975/secure v0.0.0-20240610150357-80471eebce77 ## explicit; go 1.13 github.com/unrolled/secure github.com/unrolled/secure/cspbuilder @@ -2433,4 +2433,4 @@ stash.kopano.io/kgol/oidc-go stash.kopano.io/kgol/rndm # github.com/studio-b12/gowebdav => github.com/aduffeck/gowebdav v0.0.0-20231215102054-212d4a4374f6 # github.com/egirna/icap-client => github.com/fschade/icap-client v0.0.0-20240123094924-5af178158eaf -# github.com/unrolled/secure => github.com/DeepDiver1975/secure v0.0.0-20240424132259-5b29166734cb +# github.com/unrolled/secure => github.com/DeepDiver1975/secure v0.0.0-20240610150357-80471eebce77 From 75213c53eb46f4c94078cb397ef745bb6fe0f40d Mon Sep 17 00:00:00 2001 From: Michael Barz Date: Mon, 10 Jun 2024 17:57:54 +0200 Subject: [PATCH 4/5] tests: fix test expectations --- .../expected-failures-API-on-OCIS-storage.md | 6 ---- .../downloadFile.feature | 34 +++++++++---------- 2 files changed, 16 insertions(+), 24 deletions(-) diff --git a/tests/acceptance/expected-failures-API-on-OCIS-storage.md b/tests/acceptance/expected-failures-API-on-OCIS-storage.md index 27e95f8b7f..3eb4aed85f 100644 --- a/tests/acceptance/expected-failures-API-on-OCIS-storage.md +++ b/tests/acceptance/expected-failures-API-on-OCIS-storage.md @@ -363,12 +363,6 @@ Not everything needs to be implemented for ocis. While the oc10 testsuite covers - [coreApiShareManagementBasicToShares/deleteShareFromShares.feature:239](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiShareManagementBasicToShares/deleteShareFromShares.feature#L239) - [coreApiShareManagementBasicToShares/deleteShareFromShares.feature:240](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiShareManagementBasicToShares/deleteShareFromShares.feature#L240) -#### [Content-type is not multipart/byteranges when downloading file with Range Header](https://github.com/owncloud/ocis/issues/2677) - -- [coreApiWebdavOperations/downloadFile.feature:183](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L183) -- [coreApiWebdavOperations/downloadFile.feature:184](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L184) -- [coreApiWebdavOperations/downloadFile.feature:189](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L189) - #### [Renaming resource to banned name is allowed in spaces webdav](https://github.com/owncloud/ocis/issues/3099) - [coreApiWebdavMove1/moveFolder.feature:44](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavMove1/moveFolder.feature#L44) diff --git a/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature b/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature index a28d659575..43d63e47c8 100644 --- a/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature +++ b/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature @@ -269,15 +269,14 @@ Feature: download file When user "Alice" downloads file "/" using the WebDAV API Then the HTTP status code should be "200" And the following headers should be set - | header | value | - | Content-Disposition | attachment; filename*=UTF-8''""; filename="" | - | Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | - | X-Content-Type-Options | nosniff | - | X-Download-Options | noopen | - | X-Frame-Options | SAMEORIGIN | - | X-Permitted-Cross-Domain-Policies | none | - | X-Robots-Tag | none | - | X-XSS-Protection | 1; mode=block | + | header | value | + | Content-Disposition | attachment; filename*=UTF-8''""; filename="" | + | Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | + | X-Content-Type-Options | nosniff | + | X-Frame-Options | SAMEORIGIN | + | X-Permitted-Cross-Domain-Policies | none | + | X-Robots-Tag | none | + | X-XSS-Protection | 1; mode=block | And the downloaded content should be "test file" Examples: | dav-path-version | file-name | @@ -298,15 +297,14 @@ Feature: download file When user "Alice" downloads file '/"quote"double".txt' using the WebDAV API Then the HTTP status code should be "200" And the following headers should be set - | header | value | - | Content-Disposition | attachment; filename*=UTF-8''""quote"double".txt"; filename=""quote"double".txt" | - | Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | - | X-Content-Type-Options | nosniff | - | X-Download-Options | noopen | - | X-Frame-Options | SAMEORIGIN | - | X-Permitted-Cross-Domain-Policies | none | - | X-Robots-Tag | none | - | X-XSS-Protection | 1; mode=block | + | header | value | + | Content-Disposition | attachment; filename*=UTF-8''""quote"double".txt"; filename=""quote"double".txt" | + | Content-Security-Policy | child-src 'self'; connect-src 'self'; default-src 'none'; font-src 'self'; frame-ancestors 'self'; frame-src 'self' blob: https://embed.diagrams.net/; img-src 'self' data: blob:; manifest-src 'self'; media-src 'self'; object-src 'self' blob:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' | + | X-Content-Type-Options | nosniff | + | X-Frame-Options | SAMEORIGIN | + | X-Permitted-Cross-Domain-Policies | none | + | X-Robots-Tag | none | + | X-XSS-Protection | 1; mode=block | And the downloaded content should be "test file" Examples: | dav-path-version | From fc0b3fe1c2088509080920e87fd3be10e8753a68 Mon Sep 17 00:00:00 2001 From: Michael Barz Date: Tue, 11 Jun 2024 17:32:41 +0200 Subject: [PATCH 5/5] chore: use current master for upstream lib --- go.mod | 2 +- go.sum | 4 +-- vendor/github.com/unrolled/secure/README.md | 34 ++++++++++--------- .../unrolled/secure/cspbuilder/builder.go | 9 +++-- vendor/github.com/unrolled/secure/secure.go | 9 ++--- vendor/modules.txt | 4 +-- 6 files changed, 34 insertions(+), 28 deletions(-) diff --git a/go.mod b/go.mod index 7aa92cbc5c..a0d0b32d9a 100644 --- a/go.mod +++ b/go.mod @@ -363,7 +363,7 @@ replace github.com/studio-b12/gowebdav => github.com/aduffeck/gowebdav v0.0.0-20 replace github.com/egirna/icap-client => github.com/fschade/icap-client v0.0.0-20240123094924-5af178158eaf -replace github.com/unrolled/secure => github.com/DeepDiver1975/secure v0.0.0-20240610150357-80471eebce77 +replace github.com/unrolled/secure => github.com/DeepDiver1975/secure v0.0.0-20240611112133-abc838fb797c // exclude the v2 line of go-sqlite3 which was released accidentally and prevents pulling in newer versions of go-sqlite3 // see https://github.com/mattn/go-sqlite3/issues/965 for more details diff --git a/go.sum b/go.sum index f0046798f1..bdf73f6850 100644 --- a/go.sum +++ b/go.sum @@ -798,8 +798,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym github.com/CiscoM31/godata v1.0.10 h1:DZdJ6M8QNh4HquvDDOqNLu6h77Wl86KGK7Qlbmb90sk= github.com/CiscoM31/godata v1.0.10/go.mod h1:ZMiT6JuD3Rm83HEtiTx4JEChsd25YCrxchKGag/sdTc= github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= -github.com/DeepDiver1975/secure v0.0.0-20240610150357-80471eebce77 h1:UTzaEnOUHXYhF4SFARPcEownvFw8Kgg+oJv3N0pRI2g= -github.com/DeepDiver1975/secure v0.0.0-20240610150357-80471eebce77/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40= +github.com/DeepDiver1975/secure v0.0.0-20240611112133-abc838fb797c h1:ocsNvQ2tNHme4v/lTs17HROamc7mFzZfzWcg4m+UXN0= +github.com/DeepDiver1975/secure v0.0.0-20240611112133-abc838fb797c/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40= github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk= github.com/KimMachineGun/automemlimit v0.6.1 h1:ILa9j1onAAMadBsyyUJv5cack8Y1WT26yLj/V+ulKp8= github.com/KimMachineGun/automemlimit v0.6.1/go.mod h1:T7xYht7B8r6AG/AqFcUdc7fzd2bIdBKmepfP2S1svPY= diff --git a/vendor/github.com/unrolled/secure/README.md b/vendor/github.com/unrolled/secure/README.md index 4ec82d5f96..720d531349 100644 --- a/vendor/github.com/unrolled/secure/README.md +++ b/vendor/github.com/unrolled/secure/README.md @@ -20,19 +20,21 @@ var myHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { func main() { secureMiddleware := secure.New(secure.Options{ - AllowedHosts: []string{"example\\.com", ".*\\.example\\.com"}, - AllowedHostsAreRegex: true, - HostsProxyHeaders: []string{"X-Forwarded-Host"}, - SSLRedirect: true, - SSLHost: "ssl.example.com", - SSLProxyHeaders: map[string]string{"X-Forwarded-Proto": "https"}, - STSSeconds: 31536000, - STSIncludeSubdomains: true, - STSPreload: true, - FrameDeny: true, - ContentTypeNosniff: true, - BrowserXssFilter: true, - ContentSecurityPolicy: "script-src $NONCE", + AllowedHosts: []string{"example\\.com", ".*\\.example\\.com"}, + AllowedHostsAreRegex: true, + HostsProxyHeaders: []string{"X-Forwarded-Host"}, + SSLRedirect: true, + SSLHost: "ssl.example.com", + SSLProxyHeaders: map[string]string{"X-Forwarded-Proto": "https"}, + STSSeconds: 31536000, + STSIncludeSubdomains: true, + STSPreload: true, + FrameDeny: true, + ContentTypeNosniff: true, + BrowserXssFilter: true, + ContentSecurityPolicy: "script-src $NONCE", + PermittedCrossDomainPolicies: "none", + RobotTag: "noindex", }) app := secureMiddleware.Handler(myHandler) @@ -42,7 +44,7 @@ func main() { Be sure to include the Secure middleware as close to the top (beginning) as possible (but after logging and recovery). It's best to do the allowed hosts and SSL check before anything else. -The above example will only allow requests with a host name of 'example.com', or 'ssl.example.com'. Also if the request is not HTTPS, it will be redirected to HTTPS with the host name of 'ssl.example.com'. +The above example will only allow requests with a host name of 'example.com', or 'ssl.example.com'. Also, if the request is not HTTPS, it will be redirected to HTTPS with the host name of 'ssl.example.com'. Once those requirements are satisfied, it will add the following headers: ~~~ go Strict-Transport-Security: 31536000; includeSubdomains; preload @@ -53,7 +55,7 @@ Content-Security-Policy: script-src 'nonce-a2ZobGFoZg==' ~~~ ### Set the `IsDevelopment` option to `true` when developing! -When `IsDevelopment` is true, the AllowedHosts, SSLRedirect, and STS header will not be in effect. This allows you to work in development/test mode and not have any annoying redirects to HTTPS (ie. development can happen on HTTP), or block `localhost` has a bad host. +When `IsDevelopment` is true, the AllowedHosts, SSLRedirect, and STS header will not be in effect. This allows you to work in development/test mode and not have any annoying redirects to HTTPS (i.e. development can happen on HTTP), or block `localhost` has a bad host. ### Available options Secure comes with a variety of configuration options (Note: these are not the default option values. See the defaults below.): @@ -137,7 +139,7 @@ http.Error(w, "Bad Request", http.StatusBadRequest) Call `secure.SetBadRequestHandler` to set your own custom handler. ### Allow Request Function -Secure allows you to set a custom function (`func(r *http.Request) bool`) for the `AllowRequestFunc` option. You can use this function as a custom filter to allow the request to continue or simply reject it. This can be handy if you need to do any dynamic filtering on any of the request properties. It should be noted that this function will be called on every request, so be sure to make your checks quick and not relying on time consuming external calls (or you will be slowing down all requests). See above on how to set a custom handler for the rejected requests. +Secure allows you to set a custom function (`func(r *http.Request) bool`) for the `AllowRequestFunc` option. You can use this function as a custom filter to allow the request to continue or simply reject it. This can be handy if you need to do any dynamic filtering on any of the request properties. It should be noted that this function will be called on every request, so be sure to make your checks quick and not relying on time-consuming external calls (or you will be slowing down all requests). See above on how to set a custom handler for the rejected requests. ### Redirecting HTTP to HTTPS If you want to redirect all HTTP requests to HTTPS, you can use the following example. diff --git a/vendor/github.com/unrolled/secure/cspbuilder/builder.go b/vendor/github.com/unrolled/secure/cspbuilder/builder.go index 595c0f0d26..904203f637 100644 --- a/vendor/github.com/unrolled/secure/cspbuilder/builder.go +++ b/vendor/github.com/unrolled/secure/cspbuilder/builder.go @@ -45,7 +45,7 @@ const ( ) type Builder struct { - Directives map[string]([]string) + Directives map[string][]string } // MustBuild is like Build but panics if an error occurs. @@ -61,12 +61,15 @@ func (builder *Builder) MustBuild() string { // Build creates a content security policy string from the specified directives. // If any directive contains invalid values, an error is returned instead. func (builder *Builder) Build() (string, error) { - var sb strings.Builder - var keys []string + keys := make([]string, 0, len(builder.Directives)) + for k := range builder.Directives { keys = append(keys, k) } + sort.Strings(keys) + + var sb strings.Builder for _, directive := range keys { if sb.Len() > 0 { sb.WriteString("; ") diff --git a/vendor/github.com/unrolled/secure/secure.go b/vendor/github.com/unrolled/secure/secure.go index 4122dabfdc..15218e3beb 100644 --- a/vendor/github.com/unrolled/secure/secure.go +++ b/vendor/github.com/unrolled/secure/secure.go @@ -2,6 +2,7 @@ package secure import ( "context" + "errors" "fmt" "net/http" "regexp" @@ -361,7 +362,7 @@ func (s *Secure) processRequest(w http.ResponseWriter, r *http.Request) (http.He http.Redirect(w, r, url.String(), status) - return nil, nil, fmt.Errorf("redirecting to HTTPS") + return nil, nil, errors.New("redirecting to HTTPS") } if s.opt.SSLForceHost { @@ -387,7 +388,7 @@ func (s *Secure) processRequest(w http.ResponseWriter, r *http.Request) (http.He http.Redirect(w, r, url.String(), status) - return nil, nil, fmt.Errorf("redirecting to HTTPS") + return nil, nil, errors.New("redirecting to HTTPS") } } @@ -395,7 +396,7 @@ func (s *Secure) processRequest(w http.ResponseWriter, r *http.Request) (http.He if s.opt.AllowRequestFunc != nil && !s.opt.AllowRequestFunc(r) { s.badRequestHandler.ServeHTTP(w, r) - return nil, nil, fmt.Errorf("request not allowed") + return nil, nil, errors.New("request not allowed") } // Create our header container. @@ -514,7 +515,7 @@ func (s *Secure) ModifyResponseHeaders(res *http.Response) error { location := res.Header.Get("Location") if s.isSSL(res.Request) && len(s.opt.SSLHost) > 0 && - (strings.HasPrefix(location, fmt.Sprintf("http://%s/", s.opt.SSLHost)) || location == fmt.Sprintf("http://%s", s.opt.SSLHost)) { + (strings.HasPrefix(location, fmt.Sprintf("http://%s/", s.opt.SSLHost)) || location == "http://"+s.opt.SSLHost) { location = strings.Replace(location, "http:", "https:", 1) res.Header.Set("Location", location) } diff --git a/vendor/modules.txt b/vendor/modules.txt index c1ca299102..5571e4c5bd 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1882,7 +1882,7 @@ github.com/trustelem/zxcvbn/scoring # github.com/tus/tusd v1.13.0 ## explicit; go 1.16 github.com/tus/tusd/pkg/handler -# github.com/unrolled/secure v1.14.0 => github.com/DeepDiver1975/secure v0.0.0-20240610150357-80471eebce77 +# github.com/unrolled/secure v1.14.0 => github.com/DeepDiver1975/secure v0.0.0-20240611112133-abc838fb797c ## explicit; go 1.13 github.com/unrolled/secure github.com/unrolled/secure/cspbuilder @@ -2433,4 +2433,4 @@ stash.kopano.io/kgol/oidc-go stash.kopano.io/kgol/rndm # github.com/studio-b12/gowebdav => github.com/aduffeck/gowebdav v0.0.0-20231215102054-212d4a4374f6 # github.com/egirna/icap-client => github.com/fschade/icap-client v0.0.0-20240123094924-5af178158eaf -# github.com/unrolled/secure => github.com/DeepDiver1975/secure v0.0.0-20240610150357-80471eebce77 +# github.com/unrolled/secure => github.com/DeepDiver1975/secure v0.0.0-20240611112133-abc838fb797c