nextcloud · AndyScherzinger · Aug 21, 2024 · Aug 5, 2024
diff --git a/lib/private/Share20/Manager.php b/lib/private/Share20/Manager.php
@@ -11,6 +11,7 @@
 use OC\KnownUser\KnownUserService;
 use OC\Share20\Exception\ProviderException;
 use OCA\Files_Sharing\AppInfo\Application;
+use OCA\Files_Sharing\SharedStorage;
 use OCP\EventDispatcher\IEventDispatcher;
 use OCP\Files\File;
 use OCP\Files\Folder;
@@ -570,7 +571,7 @@ protected function setLinkParent(IShare $share) {
 		// No sense in checking if the method is not there.
 		if (method_exists($share, 'setParent')) {
 			$storage = $share->getNode()->getStorage();
-			if ($storage->instanceOfStorage('\OCA\Files_Sharing\ISharedStorage')) {
+			if ($storage->instanceOfStorage(SharedStorage::class)) {
 				/** @var \OCA\Files_Sharing\SharedStorage $storage */
 				$share->setParent($storage->getShareId());
 			}

diff --git a/apps/admin_audit/lib/Actions/Action.php b/apps/admin_audit/lib/Actions/Action.php
 					$this->logger->critical(
 						sprintf(
 							'$params["'.$element.'"] was missing. Transferred value: %s',
 							print_r($params, true)
 						),
 						['app' => 'admin_audit']
 					);
diff --git a/apps/files_external/lib/Config/ConfigAdapter.php b/apps/files_external/lib/Config/ConfigAdapter.php
 			if (!is_subclass_of($objectClass, '\OCP\Files\ObjectStore\IObjectStore')) {
 				throw new \InvalidArgumentException('Invalid object store');
 			}
 			$storage->setBackendOption('objectstore', new $objectClass($objectStore));
 		}

 		$storage->getAuthMechanism()->manipulateStorageConfig($storage, $user);
diff --git a/apps/files_external/lib/Lib/Storage/SFTP.php b/apps/files_external/lib/Lib/Storage/SFTP.php
 				case 'c':
 				case 'c+':
 					$context = stream_context_create(['sftp' => ['session' => $connection]]);
 					$handle = fopen($this->constructUrl($path), $mode, false, $context);
 					return RetryWrapper::wrap($handle);
 			}
 		} catch (\Exception $e) {
diff --git a/apps/files_sharing/lib/Controller/ShareController.php b/apps/files_sharing/lib/Controller/ShareController.php
 			&& !isset($downloadStartSecret[32])
 			&& preg_match('!^[a-zA-Z0-9]+$!', $downloadStartSecret) === 1) {
 			// FIXME: set on the response once we use an actual app framework response
 			setcookie('ocDownloadStarted', $downloadStartSecret, time() + 20, '/');
 		}

 		$this->emitAccessShareHook($share);
diff --git a/apps/theming/lib/IconBuilder.php b/apps/theming/lib/IconBuilder.php
 			$appIconContent = $appIcon->getContent();
 			$mime = $appIcon->getMimeType();
 		} else {
 			$appIconContent = file_get_contents($appIcon);
 			$mime = mime_content_type($appIcon);
 		}

 		if ($imageFile === false || $imageFile === "") {
 			return false;
 		}
 		$svg = file_get_contents($imageFile);
 		if ($svg !== false && $svg !== "") {
 			$color = $this->util->elementColor($this->themingDefaults->getColorPrimary());
 			$svg = $this->util->colorizeSvg($svg, $color);
diff --git a/lib/base.php b/lib/base.php
 			// slash which is required by URL generation.
 			if (isset($_SERVER['REQUEST_URI']) && $_SERVER['REQUEST_URI'] === \OC::$WEBROOT &&
 					substr($_SERVER['REQUEST_URI'], -1) !== '/') {
 				header('Location: '.\OC::$WEBROOT.'/');
 				exit();
 			}
 		}
 				throw new Exception('Not installed');
 			} else {
 				$url = OC::$WEBROOT . '/index.php';
 				header('Location: ' . $url);
 			}
 			exit();
 		}
diff --git a/lib/private/App/InfoParser.php b/lib/private/App/InfoParser.php
 		}

 		libxml_use_internal_errors(true);
 		$xml = simplexml_load_string(file_get_contents($file));

 		if ($xml === false) {
 			libxml_clear_errors();
diff --git a/lib/private/AppFramework/Http/Dispatcher.php b/lib/private/AppFramework/Http/Dispatcher.php
 		}

 		$this->eventLogger->start('controller:' . get_class($controller) . '::' . $methodName, 'App framework controller execution');
 		$response = \call_user_func_array([$controller, $methodName], $arguments);
 		$this->eventLogger->end('controller:' . get_class($controller) . '::' . $methodName);

 		// format response
	$this->logger->critical(
	sprintf(
	'$params["'.$element.'"] was missing. Transferred value: %s',
	print_r($params, true)
Check failure on line 42 in apps/admin_audit/lib/Actions/Action.php GitHub Actions / static-code-analysis-security TaintedHtml `apps/admin_audit/lib/Actions/Action.php:42:16: TaintedHtml: Detected tainted HTML (see https://psalm.dev/245)`
	),
	['app' => 'admin_audit']
	);
	if (!is_subclass_of($objectClass, '\OCP\Files\ObjectStore\IObjectStore')) {
	throw new \InvalidArgumentException('Invalid object store');
	}
	$storage->setBackendOption('objectstore', new $objectClass($objectStore));
Check failure on line 52 in apps/files_external/lib/Config/ConfigAdapter.php GitHub Actions / static-code-analysis-security TaintedCallable `apps/files_external/lib/Config/ConfigAdapter.php:52:50: TaintedCallable: Detected tainted text (see https://psalm.dev/243)`
	}

	$storage->getAuthMechanism()->manipulateStorageConfig($storage, $user);
	case 'c':
	case 'c+':
	$context = stream_context_create(['sftp' => ['session' => $connection]]);
	$handle = fopen($this->constructUrl($path), $mode, false, $context);
Check failure on line 384 in apps/files_external/lib/Lib/Storage/SFTP.php GitHub Actions / static-code-analysis-security TaintedFile `apps/files_external/lib/Lib/Storage/SFTP.php:384:22: TaintedFile: Detected tainted file handling (see https://psalm.dev/255)`
	return RetryWrapper::wrap($handle);
	}
	} catch (\Exception $e) {
	&& !isset($downloadStartSecret[32])
	&& preg_match('!^[a-zA-Z0-9]+$!', $downloadStartSecret) === 1) {
	// FIXME: set on the response once we use an actual app framework response
	setcookie('ocDownloadStarted', $downloadStartSecret, time() + 20, '/');
Check failure on line 430 in apps/files_sharing/lib/Controller/ShareController.php GitHub Actions / static-code-analysis-security TaintedCookie `apps/files_sharing/lib/Controller/ShareController.php:430:35: TaintedCookie: Detected tainted cookie (see https://psalm.dev/257)`
	}

	$this->emitAccessShareHook($share);
	$appIconContent = $appIcon->getContent();
	$mime = $appIcon->getMimeType();
	} else {
	$appIconContent = file_get_contents($appIcon);
Check failure on line 116 in apps/theming/lib/IconBuilder.php GitHub Actions / static-code-analysis-security TaintedFile `apps/theming/lib/IconBuilder.php:116:40: TaintedFile: Detected tainted file handling (see https://psalm.dev/255)`
	$mime = mime_content_type($appIcon);
	}

	if ($imageFile === false \|\| $imageFile === "") {
	return false;
	}
	$svg = file_get_contents($imageFile);
Check failure on line 214 in apps/theming/lib/IconBuilder.php GitHub Actions / static-code-analysis-security TaintedFile `apps/theming/lib/IconBuilder.php:214:28: TaintedFile: Detected tainted file handling (see https://psalm.dev/255)`
	if ($svg !== false && $svg !== "") {
	$color = $this->util->elementColor($this->themingDefaults->getColorPrimary());
	$svg = $this->util->colorizeSvg($svg, $color);
	// slash which is required by URL generation.
	if (isset($_SERVER['REQUEST_URI']) && $_SERVER['REQUEST_URI'] === \OC::$WEBROOT &&
	substr($_SERVER['REQUEST_URI'], -1) !== '/') {
	header('Location: '.\OC::$WEBROOT.'/');
Check failure on line 144 in lib/base.php GitHub Actions / static-code-analysis-security TaintedHeader `lib/base.php:144:12: TaintedHeader: Detected tainted header (see https://psalm.dev/256)`
	exit();
	}
	}
	throw new Exception('Not installed');
	} else {
	$url = OC::$WEBROOT . '/index.php';
	header('Location: ' . $url);
Check failure on line 226 in lib/base.php GitHub Actions / static-code-analysis-security TaintedHeader `lib/base.php:226:12: TaintedHeader: Detected tainted header (see https://psalm.dev/256)`
	}
	exit();
	}
	}

	libxml_use_internal_errors(true);
	$xml = simplexml_load_string(file_get_contents($file));
Check failure on line 38 in lib/private/App/InfoParser.php GitHub Actions / static-code-analysis-security TaintedFile `lib/private/App/InfoParser.php:38:50: TaintedFile: Detected tainted file handling (see https://psalm.dev/255)`

	if ($xml === false) {
	libxml_clear_errors();
	}

	$this->eventLogger->start('controller:' . get_class($controller) . '::' . $methodName, 'App framework controller execution');
	$response = \call_user_func_array([$controller, $methodName], $arguments);
Check failure on line 208 in lib/private/AppFramework/Http/Dispatcher.php GitHub Actions / static-code-analysis-security TaintedCallable `lib/private/AppFramework/Http/Dispatcher.php:208:37: TaintedCallable: Detected tainted text (see https://psalm.dev/243)`
	$this->eventLogger->end('controller:' . get_class($controller) . '::' . $methodName);

	// format response