fix(encryption): Correctly handle file opening and copying failures

Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>

Author: come-nc

apps/encryption/lib/Crypto/EncryptAll.php

@@ -249,7 +249,14 @@ protected function encryptFile($path) {
 		$target = $path . '.encrypted.' . time();
 
 		try {
-			$this->rootView->copy($source, $target);
+			$copySuccess = $this->rootView->copy($source, $target);
+			if ($copySuccess === false) {
+				/* Copy failed, abort */
+				if ($this->rootView->file_exists($target)) {
+					$this->rootView->unlink($target);
+				}
+				throw new \Exception('Copy failed for ' . $source);
+			}
 			$this->rootView->rename($target, $source);
 		} catch (DecryptionFailedException $e) {
 			if ($this->rootView->file_exists($target)) {

lib/private/Files/Storage/Wrapper/Encryption.php

@@ -23,6 +23,7 @@
 use OCP\Encryption\Keys\IStorage;
 use OCP\Files;
 use OCP\Files\Cache\ICacheEntry;
+use OCP\Files\GenericFileException;
 use OCP\Files\Mount\IMountPoint;
 use OCP\Files\Storage;
 use Psr\Log\LoggerInterface;
@@ -185,11 +186,11 @@ public function unlink(string $path): bool {
 	public function rename(string $source, string $target): bool {
 		$result = $this->storage->rename($source, $target);
 
-		if ($result &&
+		if ($result
 			// versions always use the keys from the original file, so we can skip
 			// this step for versions
-			$this->isVersion($target) === false &&
-			$this->encryptionManager->isEnabled()) {
+			&& $this->isVersion($target) === false
+			&& $this->encryptionManager->isEnabled()) {
 			$sourcePath = $this->getFullPath($source);
 			if (!$this->util->isExcluded($sourcePath)) {
 				$targetPath = $this->getFullPath($target);
@@ -210,9 +211,9 @@ public function rename(string $source, string $target): bool {
 	public function rmdir(string $path): bool {
 		$result = $this->storage->rmdir($path);
 		$fullPath = $this->getFullPath($path);
-		if ($result &&
-			$this->util->isExcluded($fullPath) === false &&
-			$this->encryptionManager->isEnabled()
+		if ($result
+			&& $this->util->isExcluded($fullPath) === false
+			&& $this->encryptionManager->isEnabled()
 		) {
 			$this->keyStorage->deleteAllFileKeys($fullPath);
 		}
@@ -225,9 +226,9 @@ public function isReadable(string $path): bool {
 
 		$metaData = $this->getMetaData($path);
 		if (
-			!$this->is_dir($path) &&
-			isset($metaData['encrypted']) &&
-			$metaData['encrypted'] === true
+			!$this->is_dir($path)
+			&& isset($metaData['encrypted'])
+			&& $metaData['encrypted'] === true
 		) {
 			$fullPath = $this->getFullPath($path);
 			$module = $this->getEncryptionModule($path);
@@ -384,9 +385,9 @@ protected function verifyUnencryptedSize(string $path, int $unencryptedSize): in
 		$size = $this->storage->filesize($path);
 		$result = $unencryptedSize;
 
-		if ($unencryptedSize < 0 ||
-			($size > 0 && $unencryptedSize === $size) ||
-			$unencryptedSize > $size
+		if ($unencryptedSize < 0
+			|| ($size > 0 && $unencryptedSize === $size)
+			|| $unencryptedSize > $size
 		) {
 			// check if we already calculate the unencrypted size for the
 			// given path to avoid recursions
@@ -634,8 +635,8 @@ private function copyBetweenStorage(
 	): bool {
 		// for versions we have nothing to do, because versions should always use the
 		// key from the original file. Just create a 1:1 copy and done
-		if ($this->isVersion($targetInternalPath) ||
-			$this->isVersion($sourceInternalPath)) {
+		if ($this->isVersion($targetInternalPath)
+			|| $this->isVersion($sourceInternalPath)) {
 			// remember that we try to create a version so that we can detect it during
 			// fopen($sourceInternalPath) and by-pass the encryption in order to
 			// create a 1:1 copy of the file
@@ -685,12 +686,16 @@ private function copyBetweenStorage(
 			try {
 				$source = $sourceStorage->fopen($sourceInternalPath, 'r');
 				$target = $this->fopen($targetInternalPath, 'w');
-				[, $result] = Files::streamCopy($source, $target, true);
+				if ($source === false || $target === false) {
+					$result = false;
+				} else {
+					[, $result] = Files::streamCopy($source, $target, true);
+				}
 			} finally {
-				if (is_resource($source)) {
+				if (isset($source) && $source !== false) {
 					fclose($source);
 				}
-				if (is_resource($target)) {
+				if (isset($target) && $target !== false) {
 					fclose($target);
 				}
 			}
@@ -740,6 +745,9 @@ public function stat(string $path): array|false {
 
 	public function hash(string $type, string $path, bool $raw = false): string|false {
 		$fh = $this->fopen($path, 'rb');
+		if ($fh === false) {
+			return false;
+		}
 		$ctx = hash_init($type);
 		hash_update_stream($ctx, $fh);
 		fclose($fh);
@@ -764,6 +772,9 @@ protected function readFirstBlock(string $path): string {
 		$firstBlock = '';
 		if ($this->storage->is_file($path)) {
 			$handle = $this->storage->fopen($path, 'r');
+			if ($handle === false) {
+				return '';
+			}
 			$firstBlock = fread($handle, $this->util->getHeaderSize());
 			fclose($handle);
 		}
@@ -894,6 +905,9 @@ protected function shouldEncrypt(string $path): bool {
 	public function writeStream(string $path, $stream, ?int $size = null): int {
 		// always fall back to fopen
 		$target = $this->fopen($path, 'w');
+		if ($target === false) {
+			throw new GenericFileException("Failed to open $path for writing");
+		}
 		[$count, $result] = Files::streamCopy($stream, $target, true);
 		fclose($stream);
 		fclose($target);