Skip to content

Commit 40a2dde

Browse files
SebastianKrupinskiSebastianKrupinski
committed
fix(caldav): limit vevent size
Signed-off-by: SebastianKrupinski <[email protected]>
1 parent 90d712f commit 40a2dde

6 files changed

Lines changed: 119 additions & 0 deletions

File tree

apps/dav/appinfo/v1/caldav.php

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@
2929
use OC\KnownUser\KnownUserService;
3030
use OCA\DAV\CalDAV\CalDavBackend;
3131
use OCA\DAV\CalDAV\Security\RateLimitingPlugin;
32+
use OCA\DAV\CalDAV\Validation\CalDavValidatePlugin;
3233
use OCA\DAV\Connector\LegacyDAVACL;
3334
use OCA\DAV\CalDAV\CalendarRoot;
3435
use OCA\DAV\Connector\Sabre\Auth;
@@ -118,6 +119,7 @@
118119
}
119120
$server->addPlugin(new ExceptionLoggerPlugin('caldav', $logger));
120121
$server->addPlugin(\OCP\Server::get(RateLimitingPlugin::class));
122+
$server->addPlugin(\OCP\Server::get(CalDavValidatePlugin::class));
121123

122124
// And off we go!
123125
$server->exec();

apps/dav/composer/composer/autoload_classmap.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -106,6 +106,7 @@
106106
'OCA\\DAV\\CalDAV\\Trashbin\\Plugin' => $baseDir . '/../lib/CalDAV/Trashbin/Plugin.php',
107107
'OCA\\DAV\\CalDAV\\Trashbin\\RestoreTarget' => $baseDir . '/../lib/CalDAV/Trashbin/RestoreTarget.php',
108108
'OCA\\DAV\\CalDAV\\Trashbin\\TrashbinHome' => $baseDir . '/../lib/CalDAV/Trashbin/TrashbinHome.php',
109+
'OCA\\DAV\\CalDAV\\Validation\\CalDavValidatePlugin' => $baseDir . '/../lib/CalDAV/Validation/CalDavValidatePlugin.php',
109110
'OCA\\DAV\\CalDAV\\WebcalCaching\\Plugin' => $baseDir . '/../lib/CalDAV/WebcalCaching/Plugin.php',
110111
'OCA\\DAV\\CalDAV\\WebcalCaching\\RefreshWebcalService' => $baseDir . '/../lib/CalDAV/WebcalCaching/RefreshWebcalService.php',
111112
'OCA\\DAV\\Capabilities' => $baseDir . '/../lib/Capabilities.php',

apps/dav/composer/composer/autoload_static.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -121,6 +121,7 @@ class ComposerStaticInitDAV
121121
'OCA\\DAV\\CalDAV\\Trashbin\\Plugin' => __DIR__ . '/..' . '/../lib/CalDAV/Trashbin/Plugin.php',
122122
'OCA\\DAV\\CalDAV\\Trashbin\\RestoreTarget' => __DIR__ . '/..' . '/../lib/CalDAV/Trashbin/RestoreTarget.php',
123123
'OCA\\DAV\\CalDAV\\Trashbin\\TrashbinHome' => __DIR__ . '/..' . '/../lib/CalDAV/Trashbin/TrashbinHome.php',
124+
'OCA\\DAV\\CalDAV\\Validation\\CalDavValidatePlugin' => __DIR__ . '/..' . '/../lib/CalDAV/Validation/CalDavValidatePlugin.php',
124125
'OCA\\DAV\\CalDAV\\WebcalCaching\\Plugin' => __DIR__ . '/..' . '/../lib/CalDAV/WebcalCaching/Plugin.php',
125126
'OCA\\DAV\\CalDAV\\WebcalCaching\\RefreshWebcalService' => __DIR__ . '/..' . '/../lib/CalDAV/WebcalCaching/RefreshWebcalService.php',
126127
'OCA\\DAV\\Capabilities' => __DIR__ . '/..' . '/../lib/Capabilities.php',

apps/dav/lib/CalDAV/Validation/CalDavValidatePlugin.php

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
<?php
2+
3+
declare(strict_types=1);
4+
5+
/*
6+
* SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
7+
* SPDX-License-Identifier: AGPL-3.0-or-later
8+
*/
9+
namespace OCA\DAV\CalDAV\Validation;
10+
11+
use OCA\DAV\AppInfo\Application;
12+
use OCP\IConfig;
13+
use Sabre\DAV\Exception\Forbidden;
14+
use Sabre\DAV\Server;
15+
use Sabre\DAV\ServerPlugin;
16+
use Sabre\HTTP\RequestInterface;
17+
use Sabre\HTTP\ResponseInterface;
18+
19+
class CalDavValidatePlugin extends ServerPlugin {
20+
21+
public function __construct(
22+
private IConfig $config
23+
) {
24+
}
25+
26+
public function initialize(Server $server): void {
27+
$server->on('beforeMethod:PUT', [$this, 'beforePut']);
28+
}
29+
30+
public function beforePut(RequestInterface $request, ResponseInterface $response): bool {
31+
// evaluate if card size exceeds defined limit
32+
$eventSizeLimit = $this->config->getAppValue(Application::APP_ID, 'event_size_limit', 10485760);
33+
if ((int) $request->getRawServerValue('CONTENT_LENGTH') > $eventSizeLimit) {
34+
throw new Forbidden("VEvent or VTodo object exceeds $eventSizeLimit bytes");
35+
}
36+
// all tests passed return true
37+
return true;
38+
}
39+
40+
}

apps/dav/lib/Server.php

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@
3939
use OCA\DAV\BulkUpload\BulkUploadPlugin;
4040
use OCA\DAV\CalDAV\BirthdayService;
4141
use OCA\DAV\CalDAV\Security\RateLimitingPlugin;
42+
use OCA\DAV\CalDAV\Validation\CalDavValidatePlugin;
4243
use OCA\DAV\CardDAV\HasPhotoPlugin;
4344
use OCA\DAV\CardDAV\ImageExportPlugin;
4445
use OCA\DAV\CardDAV\MultiGetExportPlugin;
@@ -196,6 +197,7 @@ public function __construct(IRequest $request, string $baseUri) {
196197
));
197198

198199
$this->server->addPlugin(\OCP\Server::get(RateLimitingPlugin::class));
200+
$this->server->addPlugin(\OCP\Server::get(CalDavValidatePlugin::class));
199201
}
200202

201203
// addressbook plugins

apps/dav/tests/unit/CalDAV/Validation/CalDavValidatePluginTest.php

Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,73 @@
1+
<?php
2+
3+
declare(strict_types=1);
4+
5+
/*
6+
* SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
7+
* SPDX-License-Identifier: AGPL-3.0-or-later
8+
*/
9+
10+
namespace OCA\DAV\Tests\unit\CalDAV\Validation;
11+
12+
use OCA\DAV\CalDAV\Validation\CalDavValidatePlugin;
13+
use OCP\IConfig;
14+
use PHPUnit\Framework\MockObject\MockObject;
15+
use Sabre\DAV\Exception\Forbidden;
16+
use Sabre\HTTP\RequestInterface;
17+
use Sabre\HTTP\ResponseInterface;
18+
use Test\TestCase;
19+
20+
class CalDavValidatePluginTest extends TestCase {
21+
22+
private CalDavValidatePlugin $plugin;
23+
private IConfig|MockObject $config;
24+
private RequestInterface|MockObject $request;
25+
private ResponseInterface|MockObject $response;
26+
27+
protected function setUp(): void {
28+
parent::setUp();
29+
// construct mock objects
30+
$this->config = $this->createMock(IConfig::class);
31+
$this->request = $this->createMock(RequestInterface::class);
32+
$this->response = $this->createMock(ResponseInterface::class);
33+
$this->plugin = new CalDavValidatePlugin(
34+
$this->config,
35+
);
36+
}
37+
38+
public function testPutSizeLessThenLimit(): void {
39+
40+
// construct method responses
41+
$this->config
42+
->method('getAppValue')
43+
->with('dav', 'event_size_limit', 10485760)
44+
->willReturn(10485760);
45+
$this->request
46+
->method('getRawServerValue')
47+
->with('CONTENT_LENGTH')
48+
->willReturn('1024');
49+
// test condition
50+
$this->assertTrue(
51+
$this->plugin->beforePut($this->request, $this->response)
52+
);
53+
54+
}
55+
56+
public function testPutSizeMoreThenLimit(): void {
57+
58+
// construct method responses
59+
$this->config
60+
->method('getAppValue')
61+
->with('dav', 'event_size_limit', 10485760)
62+
->willReturn(10485760);
63+
$this->request
64+
->method('getRawServerValue')
65+
->with('CONTENT_LENGTH')
66+
->willReturn('16242880');
67+
$this->expectException(Forbidden::class);
68+
// test condition
69+
$this->plugin->beforePut($this->request, $this->response);
70+
71+
}
72+
73+
}

0 commit comments

Comments
 (0)