diff --git a/go.mod b/go.mod index 7610eef3c5..0a236aa1b3 100644 --- a/go.mod +++ b/go.mod @@ -65,7 +65,7 @@ require ( github.com/open-policy-agent/opa v1.15.2 github.com/opencloud-eu/icap-client v0.0.0-20250930132611-28a2afe62d89 github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20260310090739-853d972b282d - github.com/opencloud-eu/reva/v2 v2.43.1-0.20260427134526-f55e0775a1a4 + github.com/opencloud-eu/reva/v2 v2.43.1-0.20260428125302-b94a4bd193be github.com/opensearch-project/opensearch-go/v4 v4.6.0 github.com/orcaman/concurrent-map v1.0.0 github.com/pkg/errors v0.9.1 @@ -124,7 +124,7 @@ require ( contrib.go.opencensus.io/exporter/prometheus v0.4.2 // indirect filippo.io/edwards25519 v1.1.1 // indirect github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect - github.com/Azure/go-ntlmssp v0.1.0 // indirect + github.com/Azure/go-ntlmssp v0.1.1 // indirect github.com/BurntSushi/toml v1.6.0 // indirect github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver/v3 v3.4.0 // indirect @@ -376,9 +376,9 @@ require ( github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect github.com/yashtewari/glob-intersection v0.2.0 // indirect github.com/yusufpapurcu/wmi v1.2.4 // indirect - go.etcd.io/etcd/api/v3 v3.6.8 // indirect - go.etcd.io/etcd/client/pkg/v3 v3.6.8 // indirect - go.etcd.io/etcd/client/v3 v3.6.8 // indirect + go.etcd.io/etcd/api/v3 v3.6.10 // indirect + go.etcd.io/etcd/client/pkg/v3 v3.6.10 // indirect + go.etcd.io/etcd/client/v3 v3.6.10 // indirect go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/auto/sdk v1.2.1 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 // indirect diff --git a/go.sum b/go.sum index c90f9b09c4..2f1e645d34 100644 --- a/go.sum +++ b/go.sum @@ -62,8 +62,8 @@ github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQ github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= github.com/Azure/go-autorest/tracing v0.1.0/go.mod h1:ROEEAFwXycQw7Sn3DXNtEedEvdeRAgDr0izn4z5Ij88= github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= -github.com/Azure/go-ntlmssp v0.1.0 h1:DjFo6YtWzNqNvQdrwEyr/e4nhU3vRiwenz5QX7sFz+A= -github.com/Azure/go-ntlmssp v0.1.0/go.mod h1:NYqdhxd/8aAct/s4qSYZEerdPuH1liG2/X9DiVTbhpk= +github.com/Azure/go-ntlmssp v0.1.1 h1:l+FM/EEMb0U9QZE7mKNEDw5Mu3mFiaa2GKOoTSsNDPw= +github.com/Azure/go-ntlmssp v0.1.1/go.mod h1:NYqdhxd/8aAct/s4qSYZEerdPuH1liG2/X9DiVTbhpk= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk= github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= @@ -952,8 +952,8 @@ github.com/opencloud-eu/inotifywaitgo v0.0.0-20251111171128-a390bae3c5e9 h1:dIft github.com/opencloud-eu/inotifywaitgo v0.0.0-20251111171128-a390bae3c5e9/go.mod h1:JWyDC6H+5oZRdUJUgKuaye+8Ph5hEs6HVzVoPKzWSGI= github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20260310090739-853d972b282d h1:JcqGDiyrcaQwVyV861TUyQgO7uEmsjkhfm7aQd84dOw= github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20260310090739-853d972b282d/go.mod h1:pzatilMEHZFT3qV7C/X3MqOa3NlRQuYhlRhZTL+hN6Q= -github.com/opencloud-eu/reva/v2 v2.43.1-0.20260427134526-f55e0775a1a4 h1:ZMpTq6CWNuO1zkNys8MXMzihhWdH/TKq2aQIfa1kz0c= -github.com/opencloud-eu/reva/v2 v2.43.1-0.20260427134526-f55e0775a1a4/go.mod h1:msu4TkFw7Jxog0QRbGPxyQOJG9sago5nc+f//y+bbpI= +github.com/opencloud-eu/reva/v2 v2.43.1-0.20260428125302-b94a4bd193be h1:484jMXXoGFmOA6ll4AoBb5FTzBDHv4QNtmupfZ0mnk4= +github.com/opencloud-eu/reva/v2 v2.43.1-0.20260428125302-b94a4bd193be/go.mod h1:mBKl0Qc+fG/xkWbp79QfbTlq8Ao5JTJcZaTRo1dTwfo= github.com/opencloud-eu/secure v0.0.0-20260312082735-b6f5cb2244e4 h1:l2oB/RctH+t8r7QBj5p8thfEHCM/jF35aAY3WQ3hADI= github.com/opencloud-eu/secure v0.0.0-20260312082735-b6f5cb2244e4/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= @@ -1278,12 +1278,12 @@ github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQ go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo= go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E= -go.etcd.io/etcd/api/v3 v3.6.8 h1:gqb1VN92TAI6G2FiBvWcqKtHiIjr4SU2GdXxTwyexbM= -go.etcd.io/etcd/api/v3 v3.6.8/go.mod h1:qyQj1HZPUV3B5cbAL8scG62+fyz5dSxxu0w8pn28N6Q= -go.etcd.io/etcd/client/pkg/v3 v3.6.8 h1:Qs/5C0LNFiqXxYf2GU8MVjYUEXJ6sZaYOz0zEqQgy50= -go.etcd.io/etcd/client/pkg/v3 v3.6.8/go.mod h1:GsiTRUZE2318PggZkAo6sWb6l8JLVrnckTNfbG8PWtw= -go.etcd.io/etcd/client/v3 v3.6.8 h1:B3G76t1UykqAOrbio7s/EPatixQDkQBevN8/mwiplrY= -go.etcd.io/etcd/client/v3 v3.6.8/go.mod h1:MVG4BpSIuumPi+ELF7wYtySETmoTWBHVcDoHdVupwt8= +go.etcd.io/etcd/api/v3 v3.6.10 h1:jlwjtELjA8yi2VWpOFH+0w0lGr3K6mVDyn0RDB9aaAY= +go.etcd.io/etcd/api/v3 v3.6.10/go.mod h1:pdV4VeFmvhdNjB4LWRkC8ReLyRBAxUOze3GarMhE2sk= +go.etcd.io/etcd/client/pkg/v3 v3.6.10 h1:tBT7podcPhuVbCVkAEzx8bC5I+aqxfLwBN8/As1arrA= +go.etcd.io/etcd/client/pkg/v3 v3.6.10/go.mod h1:WEy3PpwbbEBVRdh1NVJYsuUe/8eyI21PNJRazeD8z/Y= +go.etcd.io/etcd/client/v3 v3.6.10 h1:J598zJ+C/ZPvImypmq5waj84+bovePrlZERHklf34y0= +go.etcd.io/etcd/client/v3 v3.6.10/go.mod h1:iHhUDUcEwaKs1YFq3MgmI9U4zhTVasp/vgdVbFf1RS8= go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= diff --git a/tests/acceptance/features/coreApiAuth/webDavPROPPATCHAuth.feature b/tests/acceptance/features/coreApiAuth/webDavPROPPATCHAuth.feature index cea1206e33..ffa0f68fce 100644 --- a/tests/acceptance/features/coreApiAuth/webDavPROPPATCHAuth.feature +++ b/tests/acceptance/features/coreApiAuth/webDavPROPPATCHAuth.feature @@ -42,24 +42,6 @@ Feature: PROPPATCH file/folder | /dav/spaces/%spaceid%/PARENT/parent.txt | Then the HTTP status code of responses on all endpoints should be "401" - @issue-1347 @issue-1292 - Scenario: send PROPPATCH requests to another user's webDav endpoints as normal user - When user "Brian" requests these endpoints with "PROPPATCH" to set property "favorite" about user "Alice" - | endpoint | - | /dav/files/%username%/textfile0.txt | - | /dav/files/%username%/PARENT | - | /dav/files/%username%/PARENT/parent.txt | - Then the HTTP status code of responses on all endpoints should be "404" - - @issue-1347 @issue-1292 - Scenario: send PROPPATCH requests to another user's webDav endpoints as normal user using the spaces WebDAV API - When user "Brian" requests these endpoints with "PROPPATCH" to set property "favorite" about user "Alice" - | endpoint | - | /dav/spaces/%spaceid%/textfile0.txt | - | /dav/spaces/%spaceid%/PARENT | - | /dav/spaces/%spaceid%/PARENT/parent.txt | - Then the HTTP status code of responses on all endpoints should be "404" - Scenario: send PROPPATCH requests to webDav endpoints using invalid username but correct password When user "usero" requests these endpoints with "PROPPATCH" including body "doesnotmatter" using the password of user "Alice" diff --git a/vendor/github.com/Azure/go-ntlmssp/varfield.go b/vendor/github.com/Azure/go-ntlmssp/varfield.go index 7e2433216d..2900a083a1 100644 --- a/vendor/github.com/Azure/go-ntlmssp/varfield.go +++ b/vendor/github.com/Azure/go-ntlmssp/varfield.go @@ -14,10 +14,14 @@ type varField struct { } func (f varField) ReadFrom(buffer []byte) ([]byte, error) { - if len(buffer) < int(f.BufferOffset+uint32(f.Len)) { + // f.Len is controlled by the sender, so we need to check that + // it doesn't cause an overflow when added to f.BufferOffset. + start := uint64(f.BufferOffset) + end := start + uint64(f.Len) + if end < start || end > uint64(len(buffer)) { return nil, errors.New("error reading data, varField extends beyond buffer") } - return buffer[f.BufferOffset : f.BufferOffset+uint32(f.Len)], nil + return buffer[int(start):int(end)], nil } func (f varField) ReadStringFrom(buffer []byte, unicode bool) (string, error) { diff --git a/vendor/github.com/opencloud-eu/reva/v2/internal/http/services/owncloud/ocdav/proppatch.go b/vendor/github.com/opencloud-eu/reva/v2/internal/http/services/owncloud/ocdav/proppatch.go index 1c1f9797b9..3a2df9496a 100644 --- a/vendor/github.com/opencloud-eu/reva/v2/internal/http/services/owncloud/ocdav/proppatch.go +++ b/vendor/github.com/opencloud-eu/reva/v2/internal/http/services/owncloud/ocdav/proppatch.go @@ -155,6 +155,13 @@ func (s *svc) handleProppatch(ctx context.Context, w http.ResponseWriter, r *htt } for j := range patches[i].Props { propNameXML := patches[i].Props[j].XMLName + + // favorites are now managed by the Graph API and can no longer be set using PROPPATCH. To avoid confusion, we return a 403 Forbidden when clients try to set the oc:favorites property + if propNameXML.Local == "favorite" { + w.WriteHeader(http.StatusForbidden) + return nil, nil, false + } + // don't use path.Join. It removes the double slash! concatenate with a / key := fmt.Sprintf("%s/%s", patches[i].Props[j].XMLName.Space, patches[i].Props[j].XMLName.Local) value := string(patches[i].Props[j].InnerXML) diff --git a/vendor/github.com/opencloud-eu/reva/v2/pkg/storage/fs/posix/idcache/idcache.go b/vendor/github.com/opencloud-eu/reva/v2/pkg/storage/fs/posix/idcache/idcache.go index bff9f0e5d8..0228dd5d7d 100644 --- a/vendor/github.com/opencloud-eu/reva/v2/pkg/storage/fs/posix/idcache/idcache.go +++ b/vendor/github.com/opencloud-eu/reva/v2/pkg/storage/fs/posix/idcache/idcache.go @@ -65,12 +65,12 @@ func (c *IDCache) DeleteByPath(ctx context.Context, path string) error { } else { err := c.kv.Purge(ctx, baseKey) if err != nil && err != nats.ErrKeyNotFound { - appctx.GetLogger(ctx).Error().Err(err).Str("record", path).Str("spaceID", spaceID).Str("nodeID", nodeID).Msg("could not get spaceID and nodeID from cache") + appctx.GetLogger(ctx).Error().Err(err).Str("record", baseKey).Str("spaceID", spaceID).Str("nodeID", nodeID).Msg("could not purge from cache") } err = c.kv.Purge(ctx, cacheKey(spaceID, nodeID)) if err != nil && err != nats.ErrKeyNotFound { - appctx.GetLogger(ctx).Error().Err(err).Str("record", path).Str("spaceID", spaceID).Str("nodeID", nodeID).Msg("could not get spaceID and nodeID from cache") + appctx.GetLogger(ctx).Error().Err(err).Str("record", cacheKey(spaceID, nodeID)).Str("spaceID", spaceID).Str("nodeID", nodeID).Msg("could not purge from cache") } } @@ -85,7 +85,6 @@ func (c *IDCache) DeleteByPath(ctx context.Context, path string) error { break } key := update.Key() - spaceID, nodeID, ok := c.getByReverseCacheKey(ctx, key) if !ok { appctx.GetLogger(ctx).Error().Str("record", key).Msg("could not get spaceID and nodeID from cache") @@ -94,12 +93,12 @@ func (c *IDCache) DeleteByPath(ctx context.Context, path string) error { err := c.kv.Purge(ctx, key) if err != nil && err != nats.ErrKeyNotFound { - appctx.GetLogger(ctx).Error().Err(err).Str("record", key).Str("spaceID", spaceID).Str("nodeID", nodeID).Msg("could not get spaceID and nodeID from cache") + appctx.GetLogger(ctx).Error().Err(err).Str("record", key).Str("spaceID", spaceID).Str("nodeID", nodeID).Msg("could not purge from cache") } err = c.kv.Purge(ctx, cacheKey(spaceID, nodeID)) if err != nil && err != nats.ErrKeyNotFound { - appctx.GetLogger(ctx).Error().Err(err).Str("record", key).Str("spaceID", spaceID).Str("nodeID", nodeID).Msg("could not get spaceID and nodeID from cache") + appctx.GetLogger(ctx).Error().Err(err).Str("record", cacheKey(spaceID, nodeID)).Str("spaceID", spaceID).Str("nodeID", nodeID).Msg("could not purge from cache") } } return nil diff --git a/vendor/github.com/opencloud-eu/reva/v2/pkg/storage/fs/posix/tree/tree.go b/vendor/github.com/opencloud-eu/reva/v2/pkg/storage/fs/posix/tree/tree.go index 39124887f0..ff510bbc26 100644 --- a/vendor/github.com/opencloud-eu/reva/v2/pkg/storage/fs/posix/tree/tree.go +++ b/vendor/github.com/opencloud-eu/reva/v2/pkg/storage/fs/posix/tree/tree.go @@ -37,7 +37,6 @@ import ( "go.opentelemetry.io/otel/trace" "golang.org/x/sync/errgroup" - user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1" provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" "github.com/opencloud-eu/reva/v2/pkg/errtypes" @@ -813,11 +812,3 @@ func isLockFile(path string) bool { func isTrash(path string) bool { return strings.HasSuffix(path, ".trashinfo") || strings.HasSuffix(path, ".trashitem") || strings.Contains(path, ".Trash") } - -func (t *Tree) AddLabel(ctx context.Context, ref *provider.Reference, userID *user.UserId, label string) error { - return errtypes.NotSupported("AddLabel not implemented") -} - -func (t *Tree) RemoveLabel(ctx context.Context, ref *provider.Reference, userID *user.UserId, label string) error { - return errtypes.NotSupported("RemoveLabel not implemented") -} diff --git a/vendor/go.etcd.io/etcd/api/v3/version/version.go b/vendor/go.etcd.io/etcd/api/v3/version/version.go index cd0b63ea67..618f1f1b20 100644 --- a/vendor/go.etcd.io/etcd/api/v3/version/version.go +++ b/vendor/go.etcd.io/etcd/api/v3/version/version.go @@ -26,7 +26,7 @@ import ( var ( // MinClusterVersion is the min cluster version this etcd binary is compatible with. MinClusterVersion = "3.0.0" - Version = "3.6.8" + Version = "3.6.10" APIVersion = "unknown" // Git SHA Value will be set during build diff --git a/vendor/go.etcd.io/etcd/client/v3/internal/resolver/resolver.go b/vendor/go.etcd.io/etcd/client/v3/internal/resolver/resolver.go index 403b745cb7..c7f9fb1aee 100644 --- a/vendor/go.etcd.io/etcd/client/v3/internal/resolver/resolver.go +++ b/vendor/go.etcd.io/etcd/client/v3/internal/resolver/resolver.go @@ -60,7 +60,7 @@ func (r *EtcdManualResolver) SetEndpoints(endpoints []string) { } func (r EtcdManualResolver) updateState() { - if r.CC != nil { + if getCC(r) != nil { eps := make([]resolver.Endpoint, len(r.endpoints)) for i, ep := range r.endpoints { addr, serverName := endpoint.Interpret(ep) @@ -75,3 +75,13 @@ func (r EtcdManualResolver) updateState() { r.UpdateState(state) } } + +func getCC(r EtcdManualResolver) (cc resolver.ClientConn) { + defer func() { + if rec := recover(); rec != nil { + cc = nil + } + }() + + return r.CC() +} diff --git a/vendor/go.etcd.io/etcd/client/v3/retry_interceptor.go b/vendor/go.etcd.io/etcd/client/v3/retry_interceptor.go index 7703e673b0..9b4bd0219b 100644 --- a/vendor/go.etcd.io/etcd/client/v3/retry_interceptor.go +++ b/vendor/go.etcd.io/etcd/client/v3/retry_interceptor.go @@ -28,6 +28,7 @@ import ( "google.golang.org/grpc" "google.golang.org/grpc/codes" "google.golang.org/grpc/metadata" + "google.golang.org/grpc/peer" "google.golang.org/grpc/status" "go.etcd.io/etcd/api/v3/v3rpc/rpctypes" @@ -42,6 +43,8 @@ func (c *Client) unaryClientInterceptor(optFuncs ...retryOption) grpc.UnaryClien return func(ctx context.Context, method string, req, reply any, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error { ctx = withVersion(ctx) grpcOpts, retryOpts := filterCallOptions(opts) + var p peer.Peer + grpcOpts = append(grpcOpts, grpc.Peer(&p)) callOpts := reuseOrNewWithCallOptions(intOpts, retryOpts) // short circuit for simplicity, and avoiding allocations. if callOpts.max == 0 { @@ -65,6 +68,7 @@ func (c *Client) unaryClientInterceptor(optFuncs ...retryOption) grpc.UnaryClien c.GetLogger().Warn( "retrying of unary invoker failed", zap.String("target", cc.Target()), + zap.String("peer", p.String()), zap.String("method", method), zap.Uint("attempt", attempt), zap.Error(lastErr), diff --git a/vendor/modules.txt b/vendor/modules.txt index 7cba8a563b..28a619a997 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -12,7 +12,7 @@ filippo.io/edwards25519/field ## explicit; go 1.16 github.com/Azure/go-ansiterm github.com/Azure/go-ansiterm/winterm -# github.com/Azure/go-ntlmssp v0.1.0 +# github.com/Azure/go-ntlmssp v0.1.1 ## explicit; go 1.24 github.com/Azure/go-ntlmssp github.com/Azure/go-ntlmssp/internal/md4 @@ -1371,7 +1371,7 @@ github.com/opencloud-eu/icap-client # github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20260310090739-853d972b282d ## explicit; go 1.18 github.com/opencloud-eu/libre-graph-api-go -# github.com/opencloud-eu/reva/v2 v2.43.1-0.20260427134526-f55e0775a1a4 +# github.com/opencloud-eu/reva/v2 v2.43.1-0.20260428125302-b94a4bd193be ## explicit; go 1.25.0 github.com/opencloud-eu/reva/v2/cmd/revad/internal/grace github.com/opencloud-eu/reva/v2/cmd/revad/runtime @@ -2262,8 +2262,8 @@ go.etcd.io/bbolt go.etcd.io/bbolt/errors go.etcd.io/bbolt/internal/common go.etcd.io/bbolt/internal/freelist -# go.etcd.io/etcd/api/v3 v3.6.8 -## explicit; go 1.24.0 +# go.etcd.io/etcd/api/v3 v3.6.10 +## explicit; go 1.25.0 go.etcd.io/etcd/api/v3/authpb go.etcd.io/etcd/api/v3/etcdserverpb go.etcd.io/etcd/api/v3/membershippb @@ -2271,8 +2271,8 @@ go.etcd.io/etcd/api/v3/mvccpb go.etcd.io/etcd/api/v3/v3rpc/rpctypes go.etcd.io/etcd/api/v3/version go.etcd.io/etcd/api/v3/versionpb -# go.etcd.io/etcd/client/pkg/v3 v3.6.8 -## explicit; go 1.24.0 +# go.etcd.io/etcd/client/pkg/v3 v3.6.10 +## explicit; go 1.25.0 go.etcd.io/etcd/client/pkg/v3/fileutil go.etcd.io/etcd/client/pkg/v3/logutil go.etcd.io/etcd/client/pkg/v3/systemd @@ -2280,8 +2280,8 @@ go.etcd.io/etcd/client/pkg/v3/tlsutil go.etcd.io/etcd/client/pkg/v3/transport go.etcd.io/etcd/client/pkg/v3/types go.etcd.io/etcd/client/pkg/v3/verify -# go.etcd.io/etcd/client/v3 v3.6.8 -## explicit; go 1.24.0 +# go.etcd.io/etcd/client/v3 v3.6.10 +## explicit; go 1.25.0 go.etcd.io/etcd/client/v3 go.etcd.io/etcd/client/v3/credentials go.etcd.io/etcd/client/v3/internal/endpoint