0
0
mirror of https://github.com/nextcloud/server.git synced 2024-12-28 07:58:42 +00:00
nextcloud_server/lib/private/Installer.php
Joas Schilling 07449847e1
fix(appmanager): Fix tainted file path when loading appinfos
Signed-off-by: Joas Schilling <coding@schilljs.com>
2024-10-14 14:33:19 +02:00

591 lines
17 KiB
PHP

<?php
declare(strict_types=1);
/**
* SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors
* SPDX-FileCopyrightText: 2016 ownCloud, Inc.
* SPDX-License-Identifier: AGPL-3.0-only
*/
namespace OC;
use Doctrine\DBAL\Exception\TableExistsException;
use OC\App\AppStore\Bundles\Bundle;
use OC\App\AppStore\Fetcher\AppFetcher;
use OC\AppFramework\Bootstrap\Coordinator;
use OC\Archive\TAR;
use OC\DB\Connection;
use OC\DB\MigrationService;
use OC_App;
use OC_Helper;
use OCP\App\IAppManager;
use OCP\HintException;
use OCP\Http\Client\IClientService;
use OCP\IConfig;
use OCP\ITempManager;
use OCP\Migration\IOutput;
use phpseclib\File\X509;
use Psr\Log\LoggerInterface;
/**
* This class provides the functionality needed to install, update and remove apps
*/
class Installer {
private ?bool $isInstanceReadyForUpdates = null;
private ?array $apps = null;
public function __construct(
private AppFetcher $appFetcher,
private IClientService $clientService,
private ITempManager $tempManager,
private LoggerInterface $logger,
private IConfig $config,
private bool $isCLI,
) {
}
/**
* Installs an app that is located in one of the app folders already
*
* @param string $appId App to install
* @param bool $forceEnable
* @throws \Exception
* @return string app ID
*/
public function installApp(string $appId, bool $forceEnable = false): string {
$app = \OC_App::findAppInDirectories($appId);
if ($app === false) {
throw new \Exception('App not found in any app directory');
}
$basedir = $app['path'] . '/' . $appId;
if (is_file($basedir . '/appinfo/database.xml')) {
throw new \Exception('The appinfo/database.xml file is not longer supported. Used in ' . $appId);
}
$l = \OCP\Util::getL10N('core');
$info = \OCP\Server::get(IAppManager::class)->getAppInfoByPath($basedir . '/appinfo/info.xml', $l->getLanguageCode());
if (!is_array($info)) {
throw new \Exception(
$l->t('App "%s" cannot be installed because appinfo file cannot be read.',
[$appId]
)
);
}
$ignoreMaxApps = $this->config->getSystemValue('app_install_overwrite', []);
$ignoreMax = $forceEnable || in_array($appId, $ignoreMaxApps, true);
$version = implode('.', \OCP\Util::getVersion());
if (!\OC_App::isAppCompatible($version, $info, $ignoreMax)) {
throw new \Exception(
// TODO $l
$l->t('App "%s" cannot be installed because it is not compatible with this version of the server.',
[$info['name']]
)
);
}
// check for required dependencies
\OC_App::checkAppDependencies($this->config, $l, $info, $ignoreMax);
/** @var Coordinator $coordinator */
$coordinator = \OC::$server->get(Coordinator::class);
$coordinator->runLazyRegistration($appId);
\OC_App::registerAutoloading($appId, $basedir);
$previousVersion = $this->config->getAppValue($info['id'], 'installed_version', false);
if ($previousVersion) {
OC_App::executeRepairSteps($appId, $info['repair-steps']['pre-migration']);
}
//install the database
$ms = new MigrationService($info['id'], \OCP\Server::get(Connection::class));
$ms->migrate('latest', !$previousVersion);
if ($previousVersion) {
OC_App::executeRepairSteps($appId, $info['repair-steps']['post-migration']);
}
\OC_App::setupBackgroundJobs($info['background-jobs']);
//run appinfo/install.php
self::includeAppScript($basedir . '/appinfo/install.php');
OC_App::executeRepairSteps($appId, $info['repair-steps']['install']);
$config = \OCP\Server::get(IConfig::class);
//set the installed version
$config->setAppValue($info['id'], 'installed_version', \OCP\Server::get(IAppManager::class)->getAppVersion($info['id'], false));
$config->setAppValue($info['id'], 'enabled', 'no');
//set remote/public handlers
foreach ($info['remote'] as $name => $path) {
$config->setAppValue('core', 'remote_' . $name, $info['id'] . '/' . $path);
}
foreach ($info['public'] as $name => $path) {
$config->setAppValue('core', 'public_' . $name, $info['id'] . '/' . $path);
}
OC_App::setAppTypes($info['id']);
return $info['id'];
}
/**
* Updates the specified app from the appstore
*
* @param bool $allowUnstable Allow unstable releases
*/
public function updateAppstoreApp(string $appId, bool $allowUnstable = false): bool {
if ($this->isUpdateAvailable($appId, $allowUnstable)) {
try {
$this->downloadApp($appId, $allowUnstable);
} catch (\Exception $e) {
$this->logger->error($e->getMessage(), [
'exception' => $e,
]);
return false;
}
return OC_App::updateApp($appId);
}
return false;
}
/**
* Split the certificate file in individual certs
*
* @param string $cert
* @return string[]
*/
private function splitCerts(string $cert): array {
preg_match_all('([\-]{3,}[\S\ ]+?[\-]{3,}[\S\s]+?[\-]{3,}[\S\ ]+?[\-]{3,})', $cert, $matches);
return $matches[0];
}
/**
* Downloads an app and puts it into the app directory
*
* @param string $appId
* @param bool [$allowUnstable]
*
* @throws \Exception If the installation was not successful
*/
public function downloadApp(string $appId, bool $allowUnstable = false): void {
$appId = strtolower($appId);
$apps = $this->appFetcher->get($allowUnstable);
foreach ($apps as $app) {
if ($app['id'] === $appId) {
// Load the certificate
$certificate = new X509();
$rootCrt = file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt');
$rootCrts = $this->splitCerts($rootCrt);
foreach ($rootCrts as $rootCrt) {
$certificate->loadCA($rootCrt);
}
$loadedCertificate = $certificate->loadX509($app['certificate']);
// Verify if the certificate has been revoked
$crl = new X509();
foreach ($rootCrts as $rootCrt) {
$crl->loadCA($rootCrt);
}
$crl->loadCRL(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crl'));
if ($crl->validateSignature() !== true) {
throw new \Exception('Could not validate CRL signature');
}
$csn = $loadedCertificate['tbsCertificate']['serialNumber']->toString();
$revoked = $crl->getRevoked($csn);
if ($revoked !== false) {
throw new \Exception(
sprintf(
'Certificate "%s" has been revoked',
$csn
)
);
}
// Verify if the certificate has been issued by the Nextcloud Code Authority CA
if ($certificate->validateSignature() !== true) {
throw new \Exception(
sprintf(
'App with id %s has a certificate not issued by a trusted Code Signing Authority',
$appId
)
);
}
// Verify if the certificate is issued for the requested app id
$certInfo = openssl_x509_parse($app['certificate']);
if (!isset($certInfo['subject']['CN'])) {
throw new \Exception(
sprintf(
'App with id %s has a cert with no CN',
$appId
)
);
}
if ($certInfo['subject']['CN'] !== $appId) {
throw new \Exception(
sprintf(
'App with id %s has a cert issued to %s',
$appId,
$certInfo['subject']['CN']
)
);
}
// Download the release
$tempFile = $this->tempManager->getTemporaryFile('.tar.gz');
$timeout = $this->isCLI ? 0 : 120;
$client = $this->clientService->newClient();
$client->get($app['releases'][0]['download'], ['sink' => $tempFile, 'timeout' => $timeout]);
// Check if the signature actually matches the downloaded content
$certificate = openssl_get_publickey($app['certificate']);
$verified = openssl_verify(file_get_contents($tempFile), base64_decode($app['releases'][0]['signature']), $certificate, OPENSSL_ALGO_SHA512) === 1;
if ($verified === true) {
// Seems to match, let's proceed
$extractDir = $this->tempManager->getTemporaryFolder();
$archive = new TAR($tempFile);
if (!$archive->extract($extractDir)) {
$errorMessage = 'Could not extract app ' . $appId;
$archiveError = $archive->getError();
if ($archiveError instanceof \PEAR_Error) {
$errorMessage .= ': ' . $archiveError->getMessage();
}
throw new \Exception($errorMessage);
}
$allFiles = scandir($extractDir);
$folders = array_diff($allFiles, ['.', '..']);
$folders = array_values($folders);
if (count($folders) < 1) {
throw new \Exception(
sprintf(
'Extracted app %s has no folders',
$appId
)
);
}
if (count($folders) > 1) {
throw new \Exception(
sprintf(
'Extracted app %s has more than 1 folder',
$appId
)
);
}
// Check if appinfo/info.xml has the same app ID as well
$xml = simplexml_load_string(file_get_contents($extractDir . '/' . $folders[0] . '/appinfo/info.xml'));
if ($xml === false) {
throw new \Exception(
sprintf(
'Failed to load info.xml for app id %s',
$appId,
)
);
}
if ((string)$xml->id !== $appId) {
throw new \Exception(
sprintf(
'App for id %s has a wrong app ID in info.xml: %s',
$appId,
(string)$xml->id
)
);
}
// Check if the version is lower than before
$currentVersion = \OCP\Server::get(IAppManager::class)->getAppVersion($appId, true);
$newVersion = (string)$xml->version;
if (version_compare($currentVersion, $newVersion) === 1) {
throw new \Exception(
sprintf(
'App for id %s has version %s and tried to update to lower version %s',
$appId,
$currentVersion,
$newVersion
)
);
}
$baseDir = OC_App::getInstallPath() . '/' . $appId;
// Remove old app with the ID if existent
OC_Helper::rmdirr($baseDir);
// Move to app folder
if (@mkdir($baseDir)) {
$extractDir .= '/' . $folders[0];
OC_Helper::copyr($extractDir, $baseDir);
}
OC_Helper::copyr($extractDir, $baseDir);
OC_Helper::rmdirr($extractDir);
return;
}
// Signature does not match
throw new \Exception(
sprintf(
'App with id %s has invalid signature',
$appId
)
);
}
}
throw new \Exception(
sprintf(
'Could not download app %s',
$appId
)
);
}
/**
* Check if an update for the app is available
*
* @param string $appId
* @param bool $allowUnstable
* @return string|false false or the version number of the update
*/
public function isUpdateAvailable($appId, $allowUnstable = false): string|false {
if ($this->isInstanceReadyForUpdates === null) {
$installPath = OC_App::getInstallPath();
if ($installPath === null) {
$this->isInstanceReadyForUpdates = false;
} else {
$this->isInstanceReadyForUpdates = true;
}
}
if ($this->isInstanceReadyForUpdates === false) {
return false;
}
if ($this->isInstalledFromGit($appId) === true) {
return false;
}
if ($this->apps === null) {
$this->apps = $this->appFetcher->get($allowUnstable);
}
foreach ($this->apps as $app) {
if ($app['id'] === $appId) {
$currentVersion = \OCP\Server::get(IAppManager::class)->getAppVersion($appId, true);
if (!isset($app['releases'][0]['version'])) {
return false;
}
$newestVersion = $app['releases'][0]['version'];
if ($currentVersion !== '0' && version_compare($newestVersion, $currentVersion, '>')) {
return $newestVersion;
} else {
return false;
}
}
}
return false;
}
/**
* Check if app has been installed from git
*
* The function will check if the path contains a .git folder
*/
private function isInstalledFromGit(string $appId): bool {
$app = \OC_App::findAppInDirectories($appId);
if ($app === false) {
return false;
}
$basedir = $app['path'] . '/' . $appId;
return file_exists($basedir . '/.git/');
}
/**
* Check if app is already downloaded
*
* The function will check if the app is already downloaded in the apps repository
*/
public function isDownloaded(string $name): bool {
foreach (\OC::$APPSROOTS as $dir) {
$dirToTest = $dir['path'];
$dirToTest .= '/';
$dirToTest .= $name;
$dirToTest .= '/';
if (is_dir($dirToTest)) {
return true;
}
}
return false;
}
/**
* Removes an app
*
* This function works as follows
* -# call uninstall repair steps
* -# removing the files
*
* The function will not delete preferences, tables and the configuration,
* this has to be done by the function oc_app_uninstall().
*/
public function removeApp(string $appId): bool {
if ($this->isDownloaded($appId)) {
if (\OCP\Server::get(IAppManager::class)->isShipped($appId)) {
return false;
}
$appDir = OC_App::getInstallPath() . '/' . $appId;
OC_Helper::rmdirr($appDir);
return true;
} else {
$this->logger->error('can\'t remove app ' . $appId . '. It is not installed.');
return false;
}
}
/**
* Installs the app within the bundle and marks the bundle as installed
*
* @throws \Exception If app could not get installed
*/
public function installAppBundle(Bundle $bundle): void {
$appIds = $bundle->getAppIdentifiers();
foreach ($appIds as $appId) {
if (!$this->isDownloaded($appId)) {
$this->downloadApp($appId);
}
$this->installApp($appId);
$app = new OC_App();
$app->enable($appId);
}
$bundles = json_decode($this->config->getAppValue('core', 'installed.bundles', json_encode([])), true);
$bundles[] = $bundle->getIdentifier();
$this->config->setAppValue('core', 'installed.bundles', json_encode($bundles));
}
/**
* Installs shipped apps
*
* This function installs all apps found in the 'apps' directory that should be enabled by default;
* @param bool $softErrors When updating we ignore errors and simply log them, better to have a
* working ownCloud at the end instead of an aborted update.
* @return array Array of error messages (appid => Exception)
*/
public static function installShippedApps(bool $softErrors = false, ?IOutput $output = null): array {
if ($output instanceof IOutput) {
$output->debug('Installing shipped apps');
}
$appManager = \OCP\Server::get(IAppManager::class);
$config = \OCP\Server::get(IConfig::class);
$errors = [];
foreach (\OC::$APPSROOTS as $app_dir) {
if ($dir = opendir($app_dir['path'])) {
while (false !== ($filename = readdir($dir))) {
if ($filename[0] !== '.' and is_dir($app_dir['path'] . "/$filename")) {
if (file_exists($app_dir['path'] . "/$filename/appinfo/info.xml")) {
if ($config->getAppValue($filename, 'installed_version', null) === null) {
$enabled = $appManager->isDefaultEnabled($filename);
if (($enabled || in_array($filename, $appManager->getAlwaysEnabledApps()))
&& $config->getAppValue($filename, 'enabled') !== 'no') {
if ($softErrors) {
try {
Installer::installShippedApp($filename, $output);
} catch (HintException $e) {
if ($e->getPrevious() instanceof TableExistsException) {
$errors[$filename] = $e;
continue;
}
throw $e;
}
} else {
Installer::installShippedApp($filename, $output);
}
$config->setAppValue($filename, 'enabled', 'yes');
}
}
}
}
}
closedir($dir);
}
}
return $errors;
}
/**
* install an app already placed in the app folder
*/
public static function installShippedApp(string $app, ?IOutput $output = null): string|false {
if ($output instanceof IOutput) {
$output->debug('Installing ' . $app);
}
$appManager = \OCP\Server::get(IAppManager::class);
$config = \OCP\Server::get(IConfig::class);
$appPath = $appManager->getAppPath($app);
\OC_App::registerAutoloading($app, $appPath);
$ms = new MigrationService($app, \OCP\Server::get(Connection::class));
if ($output instanceof IOutput) {
$ms->setOutput($output);
}
$previousVersion = $config->getAppValue($app, 'installed_version', false);
$ms->migrate('latest', !$previousVersion);
//run appinfo/install.php
self::includeAppScript("$appPath/appinfo/install.php");
$info = \OCP\Server::get(IAppManager::class)->getAppInfo($app);
if (is_null($info)) {
return false;
}
if ($output instanceof IOutput) {
$output->debug('Registering tasks of ' . $app);
}
\OC_App::setupBackgroundJobs($info['background-jobs']);
OC_App::executeRepairSteps($app, $info['repair-steps']['install']);
$config->setAppValue($app, 'installed_version', \OCP\Server::get(IAppManager::class)->getAppVersion($app));
if (array_key_exists('ocsid', $info)) {
$config->setAppValue($app, 'ocsid', $info['ocsid']);
}
//set remote/public handlers
foreach ($info['remote'] as $name => $path) {
$config->setAppValue('core', 'remote_' . $name, $app . '/' . $path);
}
foreach ($info['public'] as $name => $path) {
$config->setAppValue('core', 'public_' . $name, $app . '/' . $path);
}
OC_App::setAppTypes($info['id']);
return $info['id'];
}
private static function includeAppScript(string $script): void {
if (file_exists($script)) {
include $script;
}
}
}