Skip to content

Commit fe90956

Browse files
SebastianKrupinskiSebastianKrupinski
authored
Merge pull request #46315 from nextcloud/fix/limit-vevent-size
fix(caldav): limit vevent size
2 parents 59d6b37 + 247fbb5 commit fe90956

6 files changed

Lines changed: 119 additions & 0 deletions

File tree

apps/dav/appinfo/v1/caldav.php

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@
1010
use OCA\DAV\CalDAV\CalDavBackend;
1111
use OCA\DAV\CalDAV\CalendarRoot;
1212
use OCA\DAV\CalDAV\Security\RateLimitingPlugin;
13+
use OCA\DAV\CalDAV\Validation\CalDavValidatePlugin;
1314
use OCA\DAV\Connector\LegacyDAVACL;
1415
use OCA\DAV\Connector\Sabre\Auth;
1516
use OCA\DAV\Connector\Sabre\ExceptionLoggerPlugin;
@@ -98,6 +99,7 @@
9899
}
99100
$server->addPlugin(new ExceptionLoggerPlugin('caldav', $logger));
100101
$server->addPlugin(\OCP\Server::get(RateLimitingPlugin::class));
102+
$server->addPlugin(\OCP\Server::get(CalDavValidatePlugin::class));
101103

102104
// And off we go!
103105
$server->exec();

apps/dav/composer/composer/autoload_classmap.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -112,6 +112,7 @@
112112
'OCA\\DAV\\CalDAV\\Trashbin\\Plugin' => $baseDir . '/../lib/CalDAV/Trashbin/Plugin.php',
113113
'OCA\\DAV\\CalDAV\\Trashbin\\RestoreTarget' => $baseDir . '/../lib/CalDAV/Trashbin/RestoreTarget.php',
114114
'OCA\\DAV\\CalDAV\\Trashbin\\TrashbinHome' => $baseDir . '/../lib/CalDAV/Trashbin/TrashbinHome.php',
115+
'OCA\\DAV\\CalDAV\\Validation\\CalDavValidatePlugin' => $baseDir . '/../lib/CalDAV/Validation/CalDavValidatePlugin.php',
115116
'OCA\\DAV\\CalDAV\\WebcalCaching\\Plugin' => $baseDir . '/../lib/CalDAV/WebcalCaching/Plugin.php',
116117
'OCA\\DAV\\CalDAV\\WebcalCaching\\RefreshWebcalService' => $baseDir . '/../lib/CalDAV/WebcalCaching/RefreshWebcalService.php',
117118
'OCA\\DAV\\Capabilities' => $baseDir . '/../lib/Capabilities.php',

apps/dav/composer/composer/autoload_static.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -127,6 +127,7 @@ class ComposerStaticInitDAV
127127
'OCA\\DAV\\CalDAV\\Trashbin\\Plugin' => __DIR__ . '/..' . '/../lib/CalDAV/Trashbin/Plugin.php',
128128
'OCA\\DAV\\CalDAV\\Trashbin\\RestoreTarget' => __DIR__ . '/..' . '/../lib/CalDAV/Trashbin/RestoreTarget.php',
129129
'OCA\\DAV\\CalDAV\\Trashbin\\TrashbinHome' => __DIR__ . '/..' . '/../lib/CalDAV/Trashbin/TrashbinHome.php',
130+
'OCA\\DAV\\CalDAV\\Validation\\CalDavValidatePlugin' => __DIR__ . '/..' . '/../lib/CalDAV/Validation/CalDavValidatePlugin.php',
130131
'OCA\\DAV\\CalDAV\\WebcalCaching\\Plugin' => __DIR__ . '/..' . '/../lib/CalDAV/WebcalCaching/Plugin.php',
131132
'OCA\\DAV\\CalDAV\\WebcalCaching\\RefreshWebcalService' => __DIR__ . '/..' . '/../lib/CalDAV/WebcalCaching/RefreshWebcalService.php',
132133
'OCA\\DAV\\Capabilities' => __DIR__ . '/..' . '/../lib/Capabilities.php',

apps/dav/lib/CalDAV/Validation/CalDavValidatePlugin.php

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
<?php
2+
3+
declare(strict_types=1);
4+
5+
/*
6+
* SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
7+
* SPDX-License-Identifier: AGPL-3.0-or-later
8+
*/
9+
namespace OCA\DAV\CalDAV\Validation;
10+
11+
use OCA\DAV\AppInfo\Application;
12+
use OCP\IAppConfig;
13+
use Sabre\DAV\Exception\Forbidden;
14+
use Sabre\DAV\Server;
15+
use Sabre\DAV\ServerPlugin;
16+
use Sabre\HTTP\RequestInterface;
17+
use Sabre\HTTP\ResponseInterface;
18+
19+
class CalDavValidatePlugin extends ServerPlugin {
20+
21+
public function __construct(
22+
private IAppConfig $config
23+
) {
24+
}
25+
26+
public function initialize(Server $server): void {
27+
$server->on('beforeMethod:PUT', [$this, 'beforePut']);
28+
}
29+
30+
public function beforePut(RequestInterface $request, ResponseInterface $response): bool {
31+
// evaluate if card size exceeds defined limit
32+
$eventSizeLimit = $this->config->getValueInt(Application::APP_ID, 'event_size_limit', 10485760);
33+
if ((int) $request->getRawServerValue('CONTENT_LENGTH') > $eventSizeLimit) {
34+
throw new Forbidden("VEvent or VTodo object exceeds $eventSizeLimit bytes");
35+
}
36+
// all tests passed return true
37+
return true;
38+
}
39+
40+
}

apps/dav/lib/Server.php

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111
use OCA\DAV\CalDAV\BirthdayService;
1212
use OCA\DAV\CalDAV\Schedule\IMipPlugin;
1313
use OCA\DAV\CalDAV\Security\RateLimitingPlugin;
14+
use OCA\DAV\CalDAV\Validation\CalDavValidatePlugin;
1415
use OCA\DAV\CardDAV\HasPhotoPlugin;
1516
use OCA\DAV\CardDAV\ImageExportPlugin;
1617
use OCA\DAV\CardDAV\MultiGetExportPlugin;
@@ -167,6 +168,7 @@ public function __construct(IRequest $request, string $baseUri) {
167168
));
168169

169170
$this->server->addPlugin(\OCP\Server::get(RateLimitingPlugin::class));
171+
$this->server->addPlugin(\OCP\Server::get(CalDavValidatePlugin::class));
170172
}
171173

172174
// addressbook plugins

apps/dav/tests/unit/CalDAV/Validation/CalDavValidatePluginTest.php

Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,73 @@
1+
<?php
2+
3+
declare(strict_types=1);
4+
5+
/*
6+
* SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
7+
* SPDX-License-Identifier: AGPL-3.0-or-later
8+
*/
9+
10+
namespace OCA\DAV\Tests\unit\CalDAV\Validation;
11+
12+
use OCA\DAV\CalDAV\Validation\CalDavValidatePlugin;
13+
use OCP\IAppConfig;
14+
use PHPUnit\Framework\MockObject\MockObject;
15+
use Sabre\DAV\Exception\Forbidden;
16+
use Sabre\HTTP\RequestInterface;
17+
use Sabre\HTTP\ResponseInterface;
18+
use Test\TestCase;
19+
20+
class CalDavValidatePluginTest extends TestCase {
21+
22+
private CalDavValidatePlugin $plugin;
23+
private IAppConfig|MockObject $config;
24+
private RequestInterface|MockObject $request;
25+
private ResponseInterface|MockObject $response;
26+
27+
protected function setUp(): void {
28+
parent::setUp();
29+
// construct mock objects
30+
$this->config = $this->createMock(IAppConfig::class);
31+
$this->request = $this->createMock(RequestInterface::class);
32+
$this->response = $this->createMock(ResponseInterface::class);
33+
$this->plugin = new CalDavValidatePlugin(
34+
$this->config,
35+
);
36+
}
37+
38+
public function testPutSizeLessThenLimit(): void {
39+
40+
// construct method responses
41+
$this->config
42+
->method('getValueInt')
43+
->with('dav', 'event_size_limit', 10485760)
44+
->willReturn(10485760);
45+
$this->request
46+
->method('getRawServerValue')
47+
->with('CONTENT_LENGTH')
48+
->willReturn('1024');
49+
// test condition
50+
$this->assertTrue(
51+
$this->plugin->beforePut($this->request, $this->response)
52+
);
53+
54+
}
55+
56+
public function testPutSizeMoreThenLimit(): void {
57+
58+
// construct method responses
59+
$this->config
60+
->method('getValueInt')
61+
->with('dav', 'event_size_limit', 10485760)
62+
->willReturn(10485760);
63+
$this->request
64+
->method('getRawServerValue')
65+
->with('CONTENT_LENGTH')
66+
->willReturn('16242880');
67+
$this->expectException(Forbidden::class);
68+
// test condition
69+
$this->plugin->beforePut($this->request, $this->response);
70+
71+
}
72+
73+
}

0 commit comments

Comments
 (0)