nextcloud · nickvergessen · Jul 29, 2024 · Jul 27, 2024 · Jul 27, 2024
@@ -0,0 +1,53 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+use PhpParser\Node\Attribute;
+use Psalm\CodeLocation;
+use Psalm\FileSource;
+use Psalm\Issue\InvalidDocblock;
+use Psalm\IssueBuffer;
+use Psalm\Plugin\EventHandler\Event\AfterClassLikeVisitEvent;
+
+class AttributeNamedParameters implements Psalm\Plugin\EventHandler\AfterClassLikeVisitInterface {
+	public static function afterClassLikeVisit(AfterClassLikeVisitEvent $event): void {
+		$stmt = $event->getStmt();
+		$statementsSource = $event->getStatementsSource();
+
+		foreach ($stmt->attrGroups as $attrGroup) {
+			foreach ($attrGroup->attrs as $attr) {
+				self::checkAttribute($attr, $statementsSource);
+			}
+		}
+
+		foreach ($stmt->getMethods() as $method) {
+			foreach ($method->attrGroups as $attrGroup) {
+				foreach ($attrGroup->attrs as $attr) {
+					self::checkAttribute($attr, $statementsSource);
+				}
+			}
+		}
+	}
+
+	private static function checkAttribute(Attribute $stmt, FileSource $statementsSource): void {
+		if ($stmt->name->getLast() === 'Attribute') {
+			return;
+		}
+
+		foreach ($stmt->args as $arg) {
+			if ($arg->name === null) {
+				IssueBuffer::maybeAdd(
+					new InvalidDocblock(
+						'Attribute arguments must be named.',
+						new CodeLocation($statementsSource, $stmt)
+					)
+				);
+			}
+		}
+	}
+}
@@ -168,7 +168,7 @@ public function rotateAppPassword(): DataResponse {
 	 * 403: Password confirmation failed
 	 */
 	#[NoAdminRequired]
-	#[BruteForceProtection('sudo')]
+	#[BruteForceProtection(action: 'sudo')]
 	#[UseSession]
 	#[ApiRoute(verb: 'PUT', url: '/apppassword/confirm', root: '/core')]
 	public function confirmUserPassword(string $password): DataResponse {

@@ -274,7 +274,7 @@ private function generateRedirect(?string $redirectUrl): RedirectResponse {
 	 */
 	#[NoCSRFRequired]
 	#[PublicPage]
-	#[BruteForceProtection('login')]
+	#[BruteForceProtection(action: 'login')]
 	#[UseSession]
 	#[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
 	#[FrontpageRoute(verb: 'POST', url: '/login')]
@@ -387,7 +387,7 @@ private function createLoginFailedResponse(
 	 * 403: Password confirmation failed
 	 */
 	#[NoAdminRequired]
-	#[BruteForceProtection('sudo')]
+	#[BruteForceProtection(action: 'sudo')]
 	#[UseSession]
 	#[NoCSRFRequired]
 	#[FrontpageRoute(verb: 'POST', url: '/login/confirm')]

@@ -81,8 +81,8 @@ public function __construct(
 	 */
 	#[PublicPage]
 	#[NoCSRFRequired]
-	#[BruteForceProtection('passwordResetEmail')]
-	#[AnonRateLimit(10, 300)]
+	#[BruteForceProtection(action: 'passwordResetEmail')]
+	#[AnonRateLimit(limit: 10, period: 300)]
 	#[FrontpageRoute(verb: 'GET', url: '/lostpassword/reset/form/{token}/{userId}')]
 	public function resetform(string $token, string $userId): TemplateResponse {
 		try {
@@ -144,8 +144,8 @@ private function success(array $data = []): array {
 	}
 
 	#[PublicPage]
-	#[BruteForceProtection('passwordResetEmail')]
-	#[AnonRateLimit(10, 300)]
+	#[BruteForceProtection(action: 'passwordResetEmail')]
+	#[AnonRateLimit(limit: 10, period: 300)]
 	#[FrontpageRoute(verb: 'POST', url: '/lostpassword/email')]
 	public function email(string $user): JSONResponse {
 		if ($this->config->getSystemValue('lost_password_link', '') !== '') {
@@ -180,8 +180,8 @@ public function email(string $user): JSONResponse {
 	}
 
 	#[PublicPage]
-	#[BruteForceProtection('passwordResetEmail')]
-	#[AnonRateLimit(10, 300)]
+	#[BruteForceProtection(action: 'passwordResetEmail')]
+	#[AnonRateLimit(limit: 10, period: 300)]
 	#[FrontpageRoute(verb: 'POST', url: '/lostpassword/set/{token}/{userId}')]
 	public function setPassword(string $token, string $userId, string $password, bool $proceed): JSONResponse {
 		if ($this->encryptionManager->isEnabled() && !$proceed) {

@@ -77,7 +77,7 @@ public function getCapabilities(): DataResponse {
 	}
 
 	#[PublicPage]
-	#[BruteForceProtection('login')]
+	#[BruteForceProtection(action: 'login')]
 	#[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
 	#[ApiRoute(verb: 'POST', url: '/check', root: '/person')]
 	public function personCheck(string $login = '', string $password = ''): DataResponse {

@@ -53,7 +53,7 @@ public function __construct(
 	 */
 	#[NoAdminRequired]
 	#[PasswordConfirmationRequired]
-	#[UserRateLimit(40, 600)]
+	#[UserRateLimit(limit: 40, period: 600)]
 	#[ApiRoute(verb: 'PUT', url: '/{targetUserId}', root: '/profile')]
 	public function setVisibility(string $targetUserId, string $paramId, string $visibility): DataResponse {
 		$requestingUser = $this->userSession->getUser();

@@ -62,8 +62,8 @@ public function languages(): DataResponse {
 	 * 412: Translating is not possible
 	 */
 	#[PublicPage]
-	#[UserRateLimit(25, 120)]
-	#[AnonRateLimit(10, 120)]
+	#[UserRateLimit(limit: 25, period: 120)]
+	#[AnonRateLimit(limit: 10, period: 120)]
 	#[ApiRoute(verb: 'POST', url: '/translate', root: '/translation')]
 	public function translate(string $text, ?string $fromLanguage, string $toLanguage): DataResponse {
 		try {

@@ -40,7 +40,7 @@ public function __construct(
 	 */
 	#[PublicPage]
 	#[NoCSRFRequired]
-	#[AnonRateLimit(10, 300)]
+	#[AnonRateLimit(limit: 10, period: 300)]
 	#[FrontpageRoute(verb: 'POST', url: '/core/wipe/check')]
 	public function checkWipe(string $token): JSONResponse {
 		try {
@@ -69,7 +69,7 @@ public function checkWipe(string $token): JSONResponse {
 	 */
 	#[PublicPage]
 	#[NoCSRFRequired]
-	#[AnonRateLimit(10, 300)]
+	#[AnonRateLimit(limit: 10, period: 300)]
 	#[FrontpageRoute(verb: 'POST', url: '/core/wipe/success')]
 	public function wipeDone(string $token): JSONResponse {
 		try {

@@ -16,6 +16,7 @@
 >
 	<plugins>
 		<plugin filename="build/psalm/AppFrameworkTainter.php" />
+		<plugin filename="build/psalm/AttributeNamedParameters.php" />
 	</plugins>
 	<projectFiles>
 		<directory name="apps/admin_audit"/>