Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use HSTS when doing request with the HttpClient #34553

Closed
wants to merge 2 commits into from
Closed

use HSTS when doing request with the HttpClient #34553

wants to merge 2 commits into from

Conversation

rullzer
Copy link
Member

@rullzer rullzer commented Oct 12, 2022

Time to ensure that if a server we talk to supports HSTS we actually store this info and use it.

Help and commits to this branch are appreciated.

TODO

  • cleanup ;)

Future work:

  • Use preload list
  • Extract HSTS logic a bit more (maybe add a public itnerface somewhere?)
  • Use for other clients as well

@rullzer
use HSTS when doing request with the HttpClient
8237712 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
@rullzer rullzer added this to the Nextcloud 26 milestone Oct 12, 2022
@rullzer rullzer added 2. developing Work in progress and removed 3. to review Waiting for reviews labels Oct 12, 2022
CarlSchwan
CarlSchwan reviewed Oct 12, 2022
View reviewed changes
lib/private/Http/Client/HSTSStore.php

$expires = $this->timeFactory->getTime() + $maxAge;

$qb = $this->db->getQueryBuilder();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could we maybe make hosts unique and if we get an unique exeption when trying to insert then we try updating. Save one DB query in some cases

Also we probably should try to catch data races

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/nextcloud/server/pull/34553/files#diff-07c117b72c7077964af8f2059557c552e79c4ef1b291d64cfece7b209204096aR74 it is unique

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 12, 2022
View reviewed changes
core/Migrations/Version26000Date20221011203714.php Fixed Show resolved Hide resolved
core/Migrations/Version26000Date20221011203714.php
* @param array $options
* @return null|ISchemaWrapper
*/
public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper {

Check failure

Code scanning / Psalm

MoreSpecificImplementedParamType

Argument 2 of OC\Core\Migrations\Version26000Date20221011203714::changeSchema has the more specific type 'Closure():OCP\DB\ISchemaWrapper', expecting 'Closure' as defined by OCP\Migration\SimpleMigrationStep::changeSchema
core/Migrations/Version26000Date20221011203714.php Fixed Show fixed Hide fixed
lib/private/Http/Client/HSTSStore.php

if ($data !== false
&& $this->timeFactory->getTime() < $data['expires']
&& (!$includeSubdomain || ($includeSubdomain && $data['includeSubdomains']))

Check failure

Code scanning / Psalm

RedundantCondition

Type true for $includeSubdomain is never falsy
nickvergessen
nickvergessen reviewed Oct 12, 2022
View reviewed changes
lib/private/Http/Client/HSTSMiddleware.php

$request = $this->handleHSTSRewrite($request);

$this->logger->warning("GONNA REQUEST");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

debug

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah plenty of those

nickvergessen
nickvergessen reviewed Oct 12, 2022
View reviewed changes
lib/private/Http/Client/HSTSMiddleware.php

return $handler($request, $options)
->then(function (ResponseInterface $response) use ($request) {
$this->logger->error("GOT RESPONSE");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

debug

@blizzz blizzz mentioned this pull request Feb 1, 2023
Merged
@skjnldsv skjnldsv mentioned this pull request Feb 23, 2023
Merged
@blizzz blizzz mentioned this pull request Mar 7, 2023
Merged
@blizzz blizzz modified the milestones: Nextcloud 26, Nextcloud 27 Mar 9, 2023
This was referenced May 3, 2023
Merged
Closed
Merged
@skjnldsv skjnldsv modified the milestones: Nextcloud 27, Nextcloud 28 May 9, 2023
@skjnldsv skjnldsv mentioned this pull request Nov 1, 2023
Merged
This was referenced Nov 6, 2023
Merged
Merged
This was referenced Nov 14, 2023
Merged
Merged
@blizzz blizzz modified the milestones: Nextcloud 28, Nextcloud 29 Nov 23, 2023
@Altahrim Altahrim mentioned this pull request Mar 12, 2024
Merged
This was referenced Mar 14, 2024
Merged
Merged
Merged
@Altahrim Altahrim mentioned this pull request Mar 25, 2024
Merged
@skjnldsv skjnldsv mentioned this pull request Mar 28, 2024
Merged
81 tasks
@skjnldsv skjnldsv modified the milestones: Nextcloud 29, Nextcloud 30 Mar 28, 2024
This was referenced Jul 30, 2024
Merged
Merged
@Altahrim Altahrim mentioned this pull request Aug 5, 2024
Merged
@skjnldsv skjnldsv modified the milestones: Nextcloud 30, Nextcloud 31 Aug 6, 2024
@skjnldsv skjnldsv closed this Aug 14, 2024
@skjnldsv skjnldsv removed this from the Nextcloud 31 milestone Aug 14, 2024
@skjnldsv skjnldsv deleted the use_HSTS branch August 30, 2024 07:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nickvergessen nickvergessen nickvergessen left review comments

@CarlSchwan CarlSchwan CarlSchwan left review comments

Assignees
No one assigned
Labels
2. developing Work in progress enhancement security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@rullzer @nickvergessen @CarlSchwan @blizzz @skjnldsv