From f7b3944aa70aae564d4b76def47fb51d35dffeb9 Mon Sep 17 00:00:00 2001 From: Christian Richter Date: Thu, 14 Mar 2024 11:15:06 +0100 Subject: [PATCH 1/2] bump reva Signed-off-by: Christian Richter --- changelog/unreleased/check-parent-on-copy.md | 8 +++++ go.mod | 2 +- go.sum | 4 +-- .../http/services/owncloud/ocdav/copy.go | 31 +++++++++++++++++++ .../http/services/owncloud/ocdav/move.go | 23 ++++++++++++++ vendor/modules.txt | 2 +- 6 files changed, 66 insertions(+), 4 deletions(-) create mode 100644 changelog/unreleased/check-parent-on-copy.md diff --git a/changelog/unreleased/check-parent-on-copy.md b/changelog/unreleased/check-parent-on-copy.md new file mode 100644 index 00000000000..1325b529586 --- /dev/null +++ b/changelog/unreleased/check-parent-on-copy.md @@ -0,0 +1,8 @@ +Bugfix: Prevent copying a file to a parent folder + +When copying a file to a parent folder, the file would be copied to the parent folder, but the file would not be removed from the original folder. + +https://github.com/owncloud/ocis/pull/8649 +https://github.com/owncloud/ocis/issues/1230 +https://github.com/cs3org/reva/pull/4571 +` diff --git a/go.mod b/go.mod index d068ec8b8a6..d4216ca36f6 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/cenkalti/backoff v2.2.1+incompatible github.com/coreos/go-oidc/v3 v3.9.0 github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 - github.com/cs3org/reva/v2 v2.19.2-0.20240313154849-352a246529ff + github.com/cs3org/reva/v2 v2.19.2-0.20240318131905-fd7b50caacad github.com/dhowden/tag v0.0.0-20230630033851-978a0926ee25 github.com/disintegration/imaging v1.6.2 github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e diff --git a/go.sum b/go.sum index 38deb30ad8a..b89cc3c5b9a 100644 --- a/go.sum +++ b/go.sum @@ -1018,8 +1018,8 @@ github.com/crewjam/saml v0.4.14 h1:g9FBNx62osKusnFzs3QTN5L9CVA/Egfgm+stJShzw/c= github.com/crewjam/saml v0.4.14/go.mod h1:UVSZCf18jJkk6GpWNVqcyQJMD5HsRugBPf4I1nl2mME= github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 h1:BUdwkIlf8IS2FasrrPg8gGPHQPOrQ18MS1Oew2tmGtY= github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY= -github.com/cs3org/reva/v2 v2.19.2-0.20240313154849-352a246529ff h1:XW1j4lf3EWfB9/fKN3D8Q1mehNvrlmGuXdVVzWLtFDs= -github.com/cs3org/reva/v2 v2.19.2-0.20240313154849-352a246529ff/go.mod h1:GRUrOp5HbFVwZTgR9bVrMZ/MvVy+Jhxw1PdMmhhKP9E= +github.com/cs3org/reva/v2 v2.19.2-0.20240318131905-fd7b50caacad h1:qKgPSuJ9T3AElJbZbrNmUSH51MQq1CgN1acKcyty86Y= +github.com/cs3org/reva/v2 v2.19.2-0.20240318131905-fd7b50caacad/go.mod h1:GRUrOp5HbFVwZTgR9bVrMZ/MvVy+Jhxw1PdMmhhKP9E= github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4= github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/copy.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/copy.go index 166c110f3f0..995279ee007 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/copy.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/copy.go @@ -559,6 +559,37 @@ func (s *svc) prepareCopy(ctx context.Context, w http.ResponseWriter, r *http.Re return nil } + isParent, err := s.referenceIsChildOf(ctx, s.gatewaySelector, srcRef, dstRef) + if err != nil { + switch err.(type) { + case errtypes.IsNotFound: + isParent = false + case errtypes.IsNotSupported: + log.Error().Err(err).Msg("can not detect recursive copy operation. missing machine auth configuration?") + w.WriteHeader(http.StatusForbidden) + return nil + default: + log.Error().Err(err).Msg("error while trying to detect recursive copy operation") + w.WriteHeader(http.StatusInternalServerError) + return nil + } + } + + if isParent { + w.WriteHeader(http.StatusConflict) + b, err := errors.Marshal(http.StatusBadRequest, "can not copy a folder into its parent", "") + errors.HandleWebdavError(log, w, b, err) + return nil + + } + + if srcRef.Path == dstRef.Path && srcRef.ResourceId == dstRef.ResourceId { + w.WriteHeader(http.StatusConflict) + b, err := errors.Marshal(http.StatusBadRequest, "source and destination are the same", "") + errors.HandleWebdavError(log, w, b, err) + return nil + } + oh := r.Header.Get(net.HeaderOverwrite) overwrite, err := net.ParseOverwrite(oh) if err != nil { diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/move.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/move.go index 4706d20e9d5..6d1a523befc 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/move.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/move.go @@ -162,6 +162,29 @@ func (s *svc) handleMove(ctx context.Context, w http.ResponseWriter, r *http.Req return } + isParent, err := s.referenceIsChildOf(ctx, s.gatewaySelector, src, dst) + if err != nil { + switch err.(type) { + case errtypes.IsNotFound: + isParent = false + case errtypes.IsNotSupported: + log.Error().Err(err).Msg("can not detect recursive move operation. missing machine auth configuration?") + w.WriteHeader(http.StatusForbidden) + return + default: + log.Error().Err(err).Msg("error while trying to detect recursive move operation") + w.WriteHeader(http.StatusInternalServerError) + return + } + } + if isParent { + w.WriteHeader(http.StatusConflict) + b, err := errors.Marshal(http.StatusBadRequest, "can not move a folder into its parent", "") + errors.HandleWebdavError(&log, w, b, err) + return + + } + oh := r.Header.Get(net.HeaderOverwrite) log.Debug().Str("overwrite", oh).Msg("move") diff --git a/vendor/modules.txt b/vendor/modules.txt index 31c0df2157b..40c7dea1efd 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -359,7 +359,7 @@ github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1 github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1 github.com/cs3org/go-cs3apis/cs3/tx/v1beta1 github.com/cs3org/go-cs3apis/cs3/types/v1beta1 -# github.com/cs3org/reva/v2 v2.19.2-0.20240313154849-352a246529ff +# github.com/cs3org/reva/v2 v2.19.2-0.20240318131905-fd7b50caacad ## explicit; go 1.21 github.com/cs3org/reva/v2/cmd/revad/internal/grace github.com/cs3org/reva/v2/cmd/revad/runtime From 6ddac23b16cc0e3f48b9e20690adeaf2cd897387 Mon Sep 17 00:00:00 2001 From: Christian Richter Date: Mon, 18 Mar 2024 15:15:00 +0100 Subject: [PATCH 2/2] fix tests Signed-off-by: Christian Richter --- .../features/apiSpacesDavOperation/moveByFileId.feature | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/acceptance/features/apiSpacesDavOperation/moveByFileId.feature b/tests/acceptance/features/apiSpacesDavOperation/moveByFileId.feature index d3862bd9d56..da98b32d5f4 100644 --- a/tests/acceptance/features/apiSpacesDavOperation/moveByFileId.feature +++ b/tests/acceptance/features/apiSpacesDavOperation/moveByFileId.feature @@ -718,8 +718,8 @@ Feature: moving/renaming file using file id | textfile.txt | Examples: | dav-path | space | http-status-code | - | /remote.php/dav/spaces | Personal | 400 | - | /dav/spaces | Personal | 400 | + | /remote.php/dav/spaces | Personal | 409 | + | /dav/spaces | Personal | 409 | | /remote.php/dav/spaces | myspace | 400 | | /dav/spaces | myspace | 400 | | /remote.php/dav/spaces | Shares | 404 | @@ -738,8 +738,8 @@ Feature: moving/renaming file using file id | dav-path | space | http-status-code | | /remote.php/dav/spaces | Personal | 400 | | /dav/spaces | Personal | 400 | - | /remote.php/dav/spaces | myspace | 400 | - | /dav/spaces | myspace | 400 | + | /remote.php/dav/spaces | myspace | 409 | + | /dav/spaces | myspace | 409 | | /remote.php/dav/spaces | Shares | 404 | | /dav/spaces | Shares | 404 |