From 0107c7ea24a28779dad09117d8dc5a4a49b95dc5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Mon, 13 Nov 2023 17:07:25 +0100 Subject: [PATCH 1/6] Migrate Forwarded For Headers check to new API MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- .../composer/composer/autoload_classmap.php | 1 + .../composer/composer/autoload_static.php | 1 + apps/settings/lib/AppInfo/Application.php | 2 + .../lib/Controller/CheckSetupController.php | 26 ------ .../lib/SetupChecks/ForwardedForHeaders.php | 88 +++++++++++++++++++ .../Controller/CheckSetupControllerTest.php | 1 - core/js/setupchecks.js | 8 -- core/js/tests/specs/setupchecksSpec.js | 70 --------------- 8 files changed, 92 insertions(+), 105 deletions(-) create mode 100644 apps/settings/lib/SetupChecks/ForwardedForHeaders.php diff --git a/apps/settings/composer/composer/autoload_classmap.php b/apps/settings/composer/composer/autoload_classmap.php index d578167a597a4..e6d1f3ff83f5d 100644 --- a/apps/settings/composer/composer/autoload_classmap.php +++ b/apps/settings/composer/composer/autoload_classmap.php @@ -78,6 +78,7 @@ 'OCA\\Settings\\SetupChecks\\DefaultPhoneRegionSet' => $baseDir . '/../lib/SetupChecks/DefaultPhoneRegionSet.php', 'OCA\\Settings\\SetupChecks\\EmailTestSuccessful' => $baseDir . '/../lib/SetupChecks/EmailTestSuccessful.php', 'OCA\\Settings\\SetupChecks\\FileLocking' => $baseDir . '/../lib/SetupChecks/FileLocking.php', + 'OCA\\Settings\\SetupChecks\\ForwardedForHeaders' => $baseDir . '/../lib/SetupChecks/ForwardedForHeaders.php', 'OCA\\Settings\\SetupChecks\\InternetConnectivity' => $baseDir . '/../lib/SetupChecks/InternetConnectivity.php', 'OCA\\Settings\\SetupChecks\\LegacySSEKeyFormat' => $baseDir . '/../lib/SetupChecks/LegacySSEKeyFormat.php', 'OCA\\Settings\\SetupChecks\\MemcacheConfigured' => $baseDir . '/../lib/SetupChecks/MemcacheConfigured.php', diff --git a/apps/settings/composer/composer/autoload_static.php b/apps/settings/composer/composer/autoload_static.php index d6506f2bebc45..1a95f65119ac3 100644 --- a/apps/settings/composer/composer/autoload_static.php +++ b/apps/settings/composer/composer/autoload_static.php @@ -93,6 +93,7 @@ class ComposerStaticInitSettings 'OCA\\Settings\\SetupChecks\\DefaultPhoneRegionSet' => __DIR__ . '/..' . '/../lib/SetupChecks/DefaultPhoneRegionSet.php', 'OCA\\Settings\\SetupChecks\\EmailTestSuccessful' => __DIR__ . '/..' . '/../lib/SetupChecks/EmailTestSuccessful.php', 'OCA\\Settings\\SetupChecks\\FileLocking' => __DIR__ . '/..' . '/../lib/SetupChecks/FileLocking.php', + 'OCA\\Settings\\SetupChecks\\ForwardedForHeaders' => __DIR__ . '/..' . '/../lib/SetupChecks/ForwardedForHeaders.php', 'OCA\\Settings\\SetupChecks\\InternetConnectivity' => __DIR__ . '/..' . '/../lib/SetupChecks/InternetConnectivity.php', 'OCA\\Settings\\SetupChecks\\LegacySSEKeyFormat' => __DIR__ . '/..' . '/../lib/SetupChecks/LegacySSEKeyFormat.php', 'OCA\\Settings\\SetupChecks\\MemcacheConfigured' => __DIR__ . '/..' . '/../lib/SetupChecks/MemcacheConfigured.php', diff --git a/apps/settings/lib/AppInfo/Application.php b/apps/settings/lib/AppInfo/Application.php index 6f4a94bdda9a8..d694e650b4871 100644 --- a/apps/settings/lib/AppInfo/Application.php +++ b/apps/settings/lib/AppInfo/Application.php @@ -53,6 +53,7 @@ use OCA\Settings\SetupChecks\DefaultPhoneRegionSet; use OCA\Settings\SetupChecks\EmailTestSuccessful; use OCA\Settings\SetupChecks\FileLocking; +use OCA\Settings\SetupChecks\ForwardedForHeaders; use OCA\Settings\SetupChecks\InternetConnectivity; use OCA\Settings\SetupChecks\LegacySSEKeyFormat; use OCA\Settings\SetupChecks\MemcacheConfigured; @@ -162,6 +163,7 @@ public function register(IRegistrationContext $context): void { $context->registerSetupCheck(DefaultPhoneRegionSet::class); $context->registerSetupCheck(EmailTestSuccessful::class); $context->registerSetupCheck(FileLocking::class); + $context->registerSetupCheck(ForwardedForHeaders::class); $context->registerSetupCheck(InternetConnectivity::class); $context->registerSetupCheck(LegacySSEKeyFormat::class); $context->registerSetupCheck(MemcacheConfigured::class); diff --git a/apps/settings/lib/Controller/CheckSetupController.php b/apps/settings/lib/Controller/CheckSetupController.php index 6d74a670a07d3..13e54063d8ac9 100644 --- a/apps/settings/lib/Controller/CheckSetupController.php +++ b/apps/settings/lib/Controller/CheckSetupController.php @@ -246,31 +246,6 @@ private function isUsedTlsLibOutdated() { return ''; } - /** - * Check if the reverse proxy configuration is working as expected - * - * @return bool - */ - private function forwardedForHeadersWorking(): bool { - $trustedProxies = $this->config->getSystemValue('trusted_proxies', []); - $remoteAddress = $this->request->getHeader('REMOTE_ADDR'); - - if (empty($trustedProxies) && $this->request->getHeader('X-Forwarded-Host') !== '') { - return false; - } - - if (\is_array($trustedProxies)) { - if (\in_array($remoteAddress, $trustedProxies, true) && $remoteAddress !== '127.0.0.1') { - return $remoteAddress !== $this->request->getRemoteAddress(); - } - } else { - return false; - } - - // either not enabled or working correctly - return true; - } - /** * Checks if the correct memcache module for PHP is installed. Only * fails if memcached is configured and the working module is not installed. @@ -721,7 +696,6 @@ public function check() { 'cronErrors' => $this->getCronErrors(), 'isFairUseOfFreePushService' => $this->isFairUseOfFreePushService(), 'isUsedTlsLibOutdated' => $this->isUsedTlsLibOutdated(), - 'forwardedForHeadersWorking' => $this->forwardedForHeadersWorking(), 'reverseProxyDocs' => $this->urlGenerator->linkToDocs('admin-reverse-proxy'), 'isCorrectMemcachedPHPModuleInstalled' => $this->isCorrectMemcachedPHPModuleInstalled(), 'hasPassedCodeIntegrityCheck' => $this->checker->hasPassedCheck(), diff --git a/apps/settings/lib/SetupChecks/ForwardedForHeaders.php b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php new file mode 100644 index 0000000000000..140888835af7a --- /dev/null +++ b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php @@ -0,0 +1,88 @@ + + * + * @author Côme Chilliet + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + */ + +namespace OCA\Settings\SetupChecks; + +use OCP\IConfig; +use OCP\IL10N; +use OCP\IRequest; +use OCP\IURLGenerator; +use OCP\SetupCheck\ISetupCheck; +use OCP\SetupCheck\SetupResult; + +class ForwardedForHeaders implements ISetupCheck { + public function __construct( + private IL10N $l10n, + private IConfig $config, + private IURLGenerator $urlGenerator, + private IRequest $request, + ) { + } + + public function getCategory(): string { + return 'security'; + } + + public function getName(): string { + return $this->l10n->t('Forwared for headers'); + } + + public function run(): SetupResult { + $trustedProxies = $this->config->getSystemValue('trusted_proxies', []); + $remoteAddress = $this->request->getHeader('REMOTE_ADDR'); + + if (!\is_array($trustedProxies)) { + return SetupResult::error($this->l10n->t('Your trusted_proxies setting is not correctly set, it should be an array.')); + } + + if (($remoteAddress === '') && ($this->request->getRemoteAddress() === '')) { + /* Most likely we were called from CLI */ + return SetupResult::info('Your remote address could not be determined.'); + } + + if (empty($trustedProxies) && $this->request->getHeader('X-Forwarded-Host') !== '') { + return SetupResult::warning( + $this->l10n->t('The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.'), + $this->urlGenerator->linkToDocs('admin-reverse-proxy') + ); + } + + if (\in_array($remoteAddress, $trustedProxies, true) && ($remoteAddress !== '127.0.0.1')) { + if ($remoteAddress !== $this->request->getRemoteAddress()) { + /* Remote address was successfuly fixed */ + return SetupResult::success('Working'); + } else { + return SetupResult::warning( + $this->l10n->t('The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.'), + $this->urlGenerator->linkToDocs('admin-reverse-proxy') + ); + } + } + + /* Either not enabled or working correctly */ + return SetupResult::success(); + } +} diff --git a/apps/settings/tests/Controller/CheckSetupControllerTest.php b/apps/settings/tests/Controller/CheckSetupControllerTest.php index 0437d8a38b30a..2df86a7b49c6b 100644 --- a/apps/settings/tests/Controller/CheckSetupControllerTest.php +++ b/apps/settings/tests/Controller/CheckSetupControllerTest.php @@ -415,7 +415,6 @@ public function testCheck() { ], 'cronErrors' => [], 'isUsedTlsLibOutdated' => '', - 'forwardedForHeadersWorking' => false, 'reverseProxyDocs' => 'reverse-proxy-doc-link', 'isCorrectMemcachedPHPModuleInstalled' => true, 'hasPassedCodeIntegrityCheck' => true, diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js index 86d84719d4a29..1d64acf01ea86 100644 --- a/core/js/setupchecks.js +++ b/core/js/setupchecks.js @@ -222,14 +222,6 @@ type: OC.SetupChecks.MESSAGE_TYPE_WARNING }); } - if(!data.forwardedForHeadersWorking) { - messages.push({ - msg: t('core', 'The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the {linkstart}documentation ↗{linkend}.') - .replace('{linkstart}', '') - .replace('{linkend}', ''), - type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }); - } if(!data.isCorrectMemcachedPHPModuleInstalled) { messages.push({ msg: t('core', 'Memcached is configured as distributed cache, but the wrong PHP module "memcache" is installed. \\OC\\Memcache\\Memcached only supports "memcached" and not "memcache". See the {linkstart}memcached wiki about both modules ↗{linkend}.') diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js index 7fee0ed0fae45..d9124cfc84d9d 100644 --- a/core/js/tests/specs/setupchecksSpec.js +++ b/core/js/tests/specs/setupchecksSpec.js @@ -225,7 +225,6 @@ describe('OC.SetupChecks tests', function() { JSON.stringify({ suggestedOverwriteCliURL: '', isFairUseOfFreePushService: true, - forwardedForHeadersWorking: true, isCorrectMemcachedPHPModuleInstalled: true, hasPassedCodeIntegrityCheck: true, OpcacheSetupRecommendations: [], @@ -279,7 +278,6 @@ describe('OC.SetupChecks tests', function() { JSON.stringify({ suggestedOverwriteCliURL: '', isFairUseOfFreePushService: true, - forwardedForHeadersWorking: true, isCorrectMemcachedPHPModuleInstalled: true, hasPassedCodeIntegrityCheck: true, OpcacheSetupRecommendations: [], @@ -333,7 +331,6 @@ describe('OC.SetupChecks tests', function() { JSON.stringify({ suggestedOverwriteCliURL: '', isFairUseOfFreePushService: true, - forwardedForHeadersWorking: true, isCorrectMemcachedPHPModuleInstalled: true, hasPassedCodeIntegrityCheck: true, OpcacheSetupRecommendations: [], @@ -387,7 +384,6 @@ describe('OC.SetupChecks tests', function() { JSON.stringify({ suggestedOverwriteCliURL: '', isFairUseOfFreePushService: true, - forwardedForHeadersWorking: true, isCorrectMemcachedPHPModuleInstalled: false, hasPassedCodeIntegrityCheck: true, OpcacheSetupRecommendations: [], @@ -439,7 +435,6 @@ describe('OC.SetupChecks tests', function() { JSON.stringify({ suggestedOverwriteCliURL: '', isFairUseOfFreePushService: true, - forwardedForHeadersWorking: true, isCorrectMemcachedPHPModuleInstalled: true, hasPassedCodeIntegrityCheck: true, OpcacheSetupRecommendations: [], @@ -482,59 +477,6 @@ describe('OC.SetupChecks tests', function() { }); }); - it('should return an error if the forwarded for headers are not working', function(done) { - var async = OC.SetupChecks.checkSetup(); - - suite.server.requests[0].respond( - 200, - { - 'Content-Type': 'application/json', - }, - JSON.stringify({ - suggestedOverwriteCliURL: '', - isFairUseOfFreePushService: true, - forwardedForHeadersWorking: false, - reverseProxyDocs: 'https://docs.nextcloud.com/foo/bar.html', - isCorrectMemcachedPHPModuleInstalled: true, - hasPassedCodeIntegrityCheck: true, - OpcacheSetupRecommendations: [], - isSettimelimitAvailable: true, - missingIndexes: [], - missingPrimaryKeys: [], - missingColumns: [], - cronErrors: [], - cronInfo: { - diffInSeconds: 0 - }, - appDirsWithDifferentOwner: [], - isImagickEnabled: true, - areWebauthnExtensionsEnabled: true, - pendingBigIntConversionColumns: [], - isMysqlUsedWithoutUTF8MB4: false, - isEnoughTempSpaceAvailableIfS3PrimaryStorageIsUsed: true, - reverseProxyGeneratedURL: 'https://server', - temporaryDirectoryWritable: true, - generic: { - network: { - "Internet connectivity": { - severity: "success", - description: null, - linkToDoc: null - } - }, - }, - }) - ); - - async.done(function( data, s, x ){ - expect(data).toEqual([{ - msg: 'The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the documentation ↗.', - type: OC.SetupChecks.MESSAGE_TYPE_WARNING - }]); - done(); - }); - }); - it('should return an error if set_time_limit is unavailable', function(done) { var async = OC.SetupChecks.checkSetup(); @@ -546,7 +488,6 @@ describe('OC.SetupChecks tests', function() { JSON.stringify({ suggestedOverwriteCliURL: '', isFairUseOfFreePushService: true, - forwardedForHeadersWorking: true, reverseProxyDocs: 'https://docs.nextcloud.com/foo/bar.html', isCorrectMemcachedPHPModuleInstalled: true, hasPassedCodeIntegrityCheck: true, @@ -599,7 +540,6 @@ describe('OC.SetupChecks tests', function() { JSON.stringify({ suggestedOverwriteCliURL: '', isFairUseOfFreePushService: true, - forwardedForHeadersWorking: true, reverseProxyDocs: 'https://docs.nextcloud.com/foo/bar.html', isCorrectMemcachedPHPModuleInstalled: true, hasPassedCodeIntegrityCheck: true, @@ -684,7 +624,6 @@ describe('OC.SetupChecks tests', function() { JSON.stringify({ suggestedOverwriteCliURL: '', isFairUseOfFreePushService: true, - forwardedForHeadersWorking: true, isCorrectMemcachedPHPModuleInstalled: true, hasPassedCodeIntegrityCheck: true, OpcacheSetupRecommendations: [], @@ -743,7 +682,6 @@ describe('OC.SetupChecks tests', function() { JSON.stringify({ suggestedOverwriteCliURL: '', isFairUseOfFreePushService: true, - forwardedForHeadersWorking: true, isCorrectMemcachedPHPModuleInstalled: true, hasPassedCodeIntegrityCheck: true, OpcacheSetupRecommendations: ['recommendation1', 'recommendation2'], @@ -795,7 +733,6 @@ describe('OC.SetupChecks tests', function() { JSON.stringify({ suggestedOverwriteCliURL: '', isFairUseOfFreePushService: true, - forwardedForHeadersWorking: true, isCorrectMemcachedPHPModuleInstalled: true, hasPassedCodeIntegrityCheck: true, OpcacheSetupRecommendations: [], @@ -851,7 +788,6 @@ describe('OC.SetupChecks tests', function() { JSON.stringify({ suggestedOverwriteCliURL: '', isFairUseOfFreePushService: true, - forwardedForHeadersWorking: true, isCorrectMemcachedPHPModuleInstalled: true, hasPassedCodeIntegrityCheck: true, OpcacheSetupRecommendations: [], @@ -904,7 +840,6 @@ describe('OC.SetupChecks tests', function() { JSON.stringify({ suggestedOverwriteCliURL: '', isFairUseOfFreePushService: true, - forwardedForHeadersWorking: true, isCorrectMemcachedPHPModuleInstalled: true, hasPassedCodeIntegrityCheck: true, OpcacheSetupRecommendations: [], @@ -954,7 +889,6 @@ describe('OC.SetupChecks tests', function() { JSON.stringify({ suggestedOverwriteCliURL: '', isFairUseOfFreePushService: true, - forwardedForHeadersWorking: true, isCorrectMemcachedPHPModuleInstalled: true, hasPassedCodeIntegrityCheck: true, OpcacheSetupRecommendations: [], @@ -1007,7 +941,6 @@ describe('OC.SetupChecks tests', function() { JSON.stringify({ suggestedOverwriteCliURL: '', isFairUseOfFreePushService: true, - forwardedForHeadersWorking: true, isCorrectMemcachedPHPModuleInstalled: true, hasPassedCodeIntegrityCheck: true, OpcacheSetupRecommendations: [], @@ -1060,7 +993,6 @@ describe('OC.SetupChecks tests', function() { JSON.stringify({ suggestedOverwriteCliURL: '', isFairUseOfFreePushService: true, - forwardedForHeadersWorking: true, isCorrectMemcachedPHPModuleInstalled: true, hasPassedCodeIntegrityCheck: true, OpcacheSetupRecommendations: [], @@ -1112,7 +1044,6 @@ describe('OC.SetupChecks tests', function() { JSON.stringify({ suggestedOverwriteCliURL: '', isFairUseOfFreePushService: true, - forwardedForHeadersWorking: true, isCorrectMemcachedPHPModuleInstalled: true, hasPassedCodeIntegrityCheck: true, OpcacheSetupRecommendations: [], @@ -1171,7 +1102,6 @@ describe('OC.SetupChecks tests', function() { JSON.stringify({ suggestedOverwriteCliURL: '', isFairUseOfFreePushService: true, - forwardedForHeadersWorking: true, isCorrectMemcachedPHPModuleInstalled: true, hasPassedCodeIntegrityCheck: true, OpcacheSetupRecommendations: [], From 0ebd44abb666e50f551b030dca3fbd6af03c5d1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Mon, 13 Nov 2023 17:25:21 +0100 Subject: [PATCH 2/6] Migrate tests of forwarded for headers check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- .../Controller/CheckSetupControllerTest.php | 90 +---------- .../SetupChecks/ForwardedForHeadersTest.php | 140 ++++++++++++++++++ 2 files changed, 142 insertions(+), 88 deletions(-) create mode 100644 apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php diff --git a/apps/settings/tests/Controller/CheckSetupControllerTest.php b/apps/settings/tests/Controller/CheckSetupControllerTest.php index 2df86a7b49c6b..fb2aa1a975dd4 100644 --- a/apps/settings/tests/Controller/CheckSetupControllerTest.php +++ b/apps/settings/tests/Controller/CheckSetupControllerTest.php @@ -204,87 +204,6 @@ public function removeTestDirectories() { $this->dirsToRemove = []; } - /** - * @dataProvider dataForwardedForHeadersWorking - * - * @param array $trustedProxies - * @param string $remoteAddrNotForwarded - * @param string $remoteAddr - * @param bool $result - */ - public function testForwardedForHeadersWorking(array $trustedProxies, string $remoteAddrNotForwarded, string $remoteAddr, bool $result): void { - $this->config->expects($this->once()) - ->method('getSystemValue') - ->with('trusted_proxies', []) - ->willReturn($trustedProxies); - $this->request->expects($this->atLeastOnce()) - ->method('getHeader') - ->willReturnMap([ - ['REMOTE_ADDR', $remoteAddrNotForwarded], - ['X-Forwarded-Host', ''] - ]); - $this->request->expects($this->any()) - ->method('getRemoteAddress') - ->willReturn($remoteAddr); - - $this->assertEquals( - $result, - self::invokePrivate($this->checkSetupController, 'forwardedForHeadersWorking') - ); - } - - public function dataForwardedForHeadersWorking(): array { - return [ - // description => trusted proxies, getHeader('REMOTE_ADDR'), getRemoteAddr, expected result - 'no trusted proxies' => [[], '2.2.2.2', '2.2.2.2', true], - 'trusted proxy, remote addr not trusted proxy' => [['1.1.1.1'], '2.2.2.2', '2.2.2.2', true], - 'trusted proxy, remote addr is trusted proxy, x-forwarded-for working' => [['1.1.1.1'], '1.1.1.1', '2.2.2.2', true], - 'trusted proxy, remote addr is trusted proxy, x-forwarded-for not set' => [['1.1.1.1'], '1.1.1.1', '1.1.1.1', false], - ]; - } - - public function testForwardedHostPresentButTrustedProxiesNotAnArray(): void { - $this->config->expects($this->once()) - ->method('getSystemValue') - ->with('trusted_proxies', []) - ->willReturn('1.1.1.1'); - $this->request->expects($this->atLeastOnce()) - ->method('getHeader') - ->willReturnMap([ - ['REMOTE_ADDR', '1.1.1.1'], - ['X-Forwarded-Host', 'nextcloud.test'] - ]); - $this->request->expects($this->any()) - ->method('getRemoteAddress') - ->willReturn('1.1.1.1'); - - $this->assertEquals( - false, - self::invokePrivate($this->checkSetupController, 'forwardedForHeadersWorking') - ); - } - - public function testForwardedHostPresentButTrustedProxiesEmpty(): void { - $this->config->expects($this->once()) - ->method('getSystemValue') - ->with('trusted_proxies', []) - ->willReturn([]); - $this->request->expects($this->atLeastOnce()) - ->method('getHeader') - ->willReturnMap([ - ['REMOTE_ADDR', '1.1.1.1'], - ['X-Forwarded-Host', 'nextcloud.test'] - ]); - $this->request->expects($this->any()) - ->method('getRemoteAddress') - ->willReturn('1.1.1.1'); - - $this->assertEquals( - false, - self::invokePrivate($this->checkSetupController, 'forwardedForHeadersWorking') - ); - } - public function testCheck() { $this->config->expects($this->any()) ->method('getAppValue') @@ -302,13 +221,8 @@ public function testCheck() { ['appstoreenabled', true, false], ]); - $this->request->expects($this->atLeastOnce()) - ->method('getHeader') - ->willReturnMap([ - ['REMOTE_ADDR', '4.3.2.1'], - ['X-Forwarded-Host', ''] - ]); - + $this->request->expects($this->never()) + ->method('getHeader'); $this->clientService->expects($this->never()) ->method('newClient'); $this->checkSetupController diff --git a/apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php b/apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php new file mode 100644 index 0000000000000..9da2bccda79c7 --- /dev/null +++ b/apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php @@ -0,0 +1,140 @@ + + * + * @author Morris Jobke + * @author Côme Chilliet + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + */ +namespace OCA\Settings\Tests; + +use OCA\Settings\SetupChecks\ForwardedForHeaders; +use OCP\IConfig; +use OCP\IL10N; +use OCP\IRequest; +use OCP\IURLGenerator; +use OCP\SetupCheck\SetupResult; +use Test\TestCase; + +class ForwardedForHeadersTest extends TestCase { + private IL10N $l10n; + private IConfig $config; + private IURLGenerator $urlGenerator; + private IRequest $request; + private ForwardedForHeaders $check; + + protected function setUp(): void { + parent::setUp(); + + $this->l10n = $this->getMockBuilder(IL10N::class) + ->disableOriginalConstructor()->getMock(); + $this->l10n->expects($this->any()) + ->method('t') + ->willReturnCallback(function ($message, array $replace) { + return vsprintf($message, $replace); + }); + $this->config = $this->getMockBuilder(IConfig::class)->getMock(); + $this->urlGenerator = $this->getMockBuilder(IURLGenerator::class)->getMock(); + $this->request = $this->getMockBuilder(IRequest::class)->getMock(); + $this->check = new ForwardedForHeaders( + $this->l10n, + $this->config, + $this->urlGenerator, + $this->request, + ); + } + + /** + * @dataProvider dataForwardedForHeadersWorking + */ + public function testForwardedForHeadersWorking(array $trustedProxies, string $remoteAddrNotForwarded, string $remoteAddr, string $result): void { + $this->config->expects($this->once()) + ->method('getSystemValue') + ->with('trusted_proxies', []) + ->willReturn($trustedProxies); + $this->request->expects($this->atLeastOnce()) + ->method('getHeader') + ->willReturnMap([ + ['REMOTE_ADDR', $remoteAddrNotForwarded], + ['X-Forwarded-Host', ''] + ]); + $this->request->expects($this->any()) + ->method('getRemoteAddress') + ->willReturn($remoteAddr); + + $this->assertEquals( + $result, + $this->check->run()->getSeverity() + ); + } + + public function dataForwardedForHeadersWorking(): array { + return [ + // description => trusted proxies, getHeader('REMOTE_ADDR'), getRemoteAddr, expected result + 'no trusted proxies' => [[], '2.2.2.2', '2.2.2.2', SetupResult::SUCCESS], + 'trusted proxy, remote addr not trusted proxy' => [['1.1.1.1'], '2.2.2.2', '2.2.2.2', SetupResult::SUCCESS], + 'trusted proxy, remote addr is trusted proxy, x-forwarded-for working' => [['1.1.1.1'], '1.1.1.1', '2.2.2.2', SetupResult::SUCCESS], + 'trusted proxy, remote addr is trusted proxy, x-forwarded-for not set' => [['1.1.1.1'], '1.1.1.1', '1.1.1.1', SetupResult::WARNING], + ]; + } + + public function testForwardedHostPresentButTrustedProxiesNotAnArray(): void { + $this->config->expects($this->once()) + ->method('getSystemValue') + ->with('trusted_proxies', []) + ->willReturn('1.1.1.1'); + $this->request->expects($this->atLeastOnce()) + ->method('getHeader') + ->willReturnMap([ + ['REMOTE_ADDR', '1.1.1.1'], + ['X-Forwarded-Host', 'nextcloud.test'] + ]); + $this->request->expects($this->any()) + ->method('getRemoteAddress') + ->willReturn('1.1.1.1'); + + $this->assertEquals( + SetupResult::ERROR, + $this->check->run()->getSeverity() + ); + } + + public function testForwardedHostPresentButTrustedProxiesEmpty(): void { + $this->config->expects($this->once()) + ->method('getSystemValue') + ->with('trusted_proxies', []) + ->willReturn([]); + $this->request->expects($this->atLeastOnce()) + ->method('getHeader') + ->willReturnMap([ + ['REMOTE_ADDR', '1.1.1.1'], + ['X-Forwarded-Host', 'nextcloud.test'] + ]); + $this->request->expects($this->any()) + ->method('getRemoteAddress') + ->willReturn('1.1.1.1'); + + $this->assertEquals( + SetupResult::WARNING, + $this->check->run()->getSeverity() + ); + } +} From f47a2bbcae72f9fa1e52fe3c28d98b7edfe9535e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Mon, 20 Nov 2023 15:45:46 +0100 Subject: [PATCH 3/6] =?UTF-8?q?Improve=20wrong=20configuration=20error=20m?= =?UTF-8?q?essage=20when=20we=20know=20it=E2=80=99s=20wrong.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- apps/settings/lib/SetupChecks/ForwardedForHeaders.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/settings/lib/SetupChecks/ForwardedForHeaders.php b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php index 140888835af7a..5ba966f380b65 100644 --- a/apps/settings/lib/SetupChecks/ForwardedForHeaders.php +++ b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php @@ -64,8 +64,8 @@ public function run(): SetupResult { } if (empty($trustedProxies) && $this->request->getHeader('X-Forwarded-Host') !== '') { - return SetupResult::warning( - $this->l10n->t('The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.'), + return SetupResult::error( + $this->l10n->t('The reverse proxy header configuration is incorrect. This is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.'), $this->urlGenerator->linkToDocs('admin-reverse-proxy') ); } From f023216cf47ad2d6e69a16d69718d22e4d06ec2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Mon, 20 Nov 2023 15:52:28 +0100 Subject: [PATCH 4/6] Make it an error if address is not known and we are not in CLI MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- apps/settings/lib/SetupChecks/BruteForceThrottler.php | 10 +++++++--- apps/settings/lib/SetupChecks/ForwardedForHeaders.php | 9 +++++++-- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/apps/settings/lib/SetupChecks/BruteForceThrottler.php b/apps/settings/lib/SetupChecks/BruteForceThrottler.php index 6c1efd56bc1b2..88de5c2c82a42 100644 --- a/apps/settings/lib/SetupChecks/BruteForceThrottler.php +++ b/apps/settings/lib/SetupChecks/BruteForceThrottler.php @@ -53,9 +53,13 @@ public function getName(): string { public function run(): SetupResult { $address = $this->request->getRemoteAddress(); if ($address === '') { - return SetupResult::info( - $this->l10n->t('Your remote address could not be determined.') - ); + if (\OC::$CLI) { + /* We were called from CLI */ + return SetupResult::info('Your remote address could not be determined.'); + } else { + /* Should never happen */ + return SetupResult::error('Your remote address could not be determined.'); + } } elseif ($this->throttler->showBruteforceWarning($address)) { return SetupResult::error( $this->l10n->t('Your remote address was identified as "%s" and is bruteforce throttled at the moment slowing down the performance of various requests. If the remote address is not your address this can be an indication that a proxy is not configured correctly.', $address), diff --git a/apps/settings/lib/SetupChecks/ForwardedForHeaders.php b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php index 5ba966f380b65..47ff51ee05eba 100644 --- a/apps/settings/lib/SetupChecks/ForwardedForHeaders.php +++ b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php @@ -59,8 +59,13 @@ public function run(): SetupResult { } if (($remoteAddress === '') && ($this->request->getRemoteAddress() === '')) { - /* Most likely we were called from CLI */ - return SetupResult::info('Your remote address could not be determined.'); + if (\OC::$CLI) { + /* We were called from CLI */ + return SetupResult::info('Your remote address could not be determined.'); + } else { + /* Should never happen */ + return SetupResult::error('Your remote address could not be determined.'); + } } if (empty($trustedProxies) && $this->request->getHeader('X-Forwarded-Host') !== '') { From 1f4e0927ba0fa586830136ff1f40b62a29d6d629 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Mon, 20 Nov 2023 16:12:19 +0100 Subject: [PATCH 5/6] Improve success messages for ForwarderForHeaders setup check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- apps/settings/lib/SetupChecks/BruteForceThrottler.php | 4 ++-- apps/settings/lib/SetupChecks/ForwardedForHeaders.php | 11 ++++++----- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/apps/settings/lib/SetupChecks/BruteForceThrottler.php b/apps/settings/lib/SetupChecks/BruteForceThrottler.php index 88de5c2c82a42..d5d6d42ccba7f 100644 --- a/apps/settings/lib/SetupChecks/BruteForceThrottler.php +++ b/apps/settings/lib/SetupChecks/BruteForceThrottler.php @@ -55,10 +55,10 @@ public function run(): SetupResult { if ($address === '') { if (\OC::$CLI) { /* We were called from CLI */ - return SetupResult::info('Your remote address could not be determined.'); + return SetupResult::info($this->l10n->t('Your remote address could not be determined.')); } else { /* Should never happen */ - return SetupResult::error('Your remote address could not be determined.'); + return SetupResult::error($this->l10n->t('Your remote address could not be determined.')); } } elseif ($this->throttler->showBruteforceWarning($address)) { return SetupResult::error( diff --git a/apps/settings/lib/SetupChecks/ForwardedForHeaders.php b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php index 47ff51ee05eba..fda5f31cee138 100644 --- a/apps/settings/lib/SetupChecks/ForwardedForHeaders.php +++ b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php @@ -53,18 +53,19 @@ public function getName(): string { public function run(): SetupResult { $trustedProxies = $this->config->getSystemValue('trusted_proxies', []); $remoteAddress = $this->request->getHeader('REMOTE_ADDR'); + $detectedRemoteAddress = $this->request->getRemoteAddress(); if (!\is_array($trustedProxies)) { return SetupResult::error($this->l10n->t('Your trusted_proxies setting is not correctly set, it should be an array.')); } - if (($remoteAddress === '') && ($this->request->getRemoteAddress() === '')) { + if (($remoteAddress === '') && ($detectedRemoteAddress === '')) { if (\OC::$CLI) { /* We were called from CLI */ - return SetupResult::info('Your remote address could not be determined.'); + return SetupResult::info($this->l10n->t('Your remote address could not be determined.')); } else { /* Should never happen */ - return SetupResult::error('Your remote address could not be determined.'); + return SetupResult::error($this->l10n->t('Your remote address could not be determined.')); } } @@ -76,9 +77,9 @@ public function run(): SetupResult { } if (\in_array($remoteAddress, $trustedProxies, true) && ($remoteAddress !== '127.0.0.1')) { - if ($remoteAddress !== $this->request->getRemoteAddress()) { + if ($remoteAddress !== $detectedRemoteAddress) { /* Remote address was successfuly fixed */ - return SetupResult::success('Working'); + return SetupResult::success($this->l10n->t('Your IP address was resolved as %s', $detectedRemoteAddress)); } else { return SetupResult::warning( $this->l10n->t('The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.'), From ad372869bc803c3540fd8657c4fcb643d3db5b08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Mon, 20 Nov 2023 18:03:15 +0100 Subject: [PATCH 6/6] Fix tests for setupchecks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- apps/settings/lib/SetupChecks/BruteForceThrottler.php | 4 ++-- apps/settings/lib/SetupChecks/ForwardedForHeaders.php | 2 +- apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apps/settings/lib/SetupChecks/BruteForceThrottler.php b/apps/settings/lib/SetupChecks/BruteForceThrottler.php index d5d6d42ccba7f..3fbdf2d788af3 100644 --- a/apps/settings/lib/SetupChecks/BruteForceThrottler.php +++ b/apps/settings/lib/SetupChecks/BruteForceThrottler.php @@ -62,12 +62,12 @@ public function run(): SetupResult { } } elseif ($this->throttler->showBruteforceWarning($address)) { return SetupResult::error( - $this->l10n->t('Your remote address was identified as "%s" and is bruteforce throttled at the moment slowing down the performance of various requests. If the remote address is not your address this can be an indication that a proxy is not configured correctly.', $address), + $this->l10n->t('Your remote address was identified as "%s" and is bruteforce throttled at the moment slowing down the performance of various requests. If the remote address is not your address this can be an indication that a proxy is not configured correctly.', [$address]), $this->urlGenerator->linkToDocs('admin-reverse-proxy') ); } else { return SetupResult::success( - $this->l10n->t('Your remote address "%s" is not bruteforce throttled.', $address) + $this->l10n->t('Your remote address "%s" is not bruteforce throttled.', [$address]) ); } } diff --git a/apps/settings/lib/SetupChecks/ForwardedForHeaders.php b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php index fda5f31cee138..3572feabb1f90 100644 --- a/apps/settings/lib/SetupChecks/ForwardedForHeaders.php +++ b/apps/settings/lib/SetupChecks/ForwardedForHeaders.php @@ -79,7 +79,7 @@ public function run(): SetupResult { if (\in_array($remoteAddress, $trustedProxies, true) && ($remoteAddress !== '127.0.0.1')) { if ($remoteAddress !== $detectedRemoteAddress) { /* Remote address was successfuly fixed */ - return SetupResult::success($this->l10n->t('Your IP address was resolved as %s', $detectedRemoteAddress)); + return SetupResult::success($this->l10n->t('Your IP address was resolved as %s', [$detectedRemoteAddress])); } else { return SetupResult::warning( $this->l10n->t('The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud.'), diff --git a/apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php b/apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php index 9da2bccda79c7..bacc557490b08 100644 --- a/apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php +++ b/apps/settings/tests/SetupChecks/ForwardedForHeadersTest.php @@ -133,7 +133,7 @@ public function testForwardedHostPresentButTrustedProxiesEmpty(): void { ->willReturn('1.1.1.1'); $this->assertEquals( - SetupResult::WARNING, + SetupResult::ERROR, $this->check->run()->getSeverity() ); }