From 72af0eacda53416a6429c2f736a69bddaab163e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julius=20H=C3=A4rtl?= <jus@bitgrid.net>
Date: Mon, 26 Aug 2024 15:58:06 +0200
Subject: [PATCH] fix: Apply checks on shares in the middleware
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Julius Härtl <jus@bitgrid.net>
Signed-off-by: Max <max@nextcloud.com>
---
 lib/Middleware/SessionMiddleware.php | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/lib/Middleware/SessionMiddleware.php b/lib/Middleware/SessionMiddleware.php
index e72646e404d..11230562412 100644
--- a/lib/Middleware/SessionMiddleware.php
+++ b/lib/Middleware/SessionMiddleware.php
@@ -16,10 +16,12 @@
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\AppFramework\Http\Response;
 use OCP\AppFramework\Middleware;
+use OCP\Constants;
 use OCP\Files\IRootFolder;
 use OCP\Files\NotPermittedException;
 use OCP\IL10N;
 use OCP\IRequest;
+use OCP\ISession;
 use OCP\IUserSession;
 use OCP\Share\Exceptions\ShareNotFound;
 use OCP\Share\IManager as ShareManager;
@@ -31,6 +33,7 @@ public function __construct(
 		private IRequest $request,
 		private SessionService $sessionService,
 		private DocumentService $documentService,
+		private ISession $session,
 		private IUserSession $userSession,
 		private IRootFolder $rootFolder,
 		private ShareManager $shareManager,
@@ -125,10 +128,28 @@ private function assertUserOrShareToken(ISessionAwareController $controller): vo
 			} catch (ShareNotFound) {
 				throw new InvalidSessionException();
 			}
+
 			// Check if shareToken has access to document
 			if (count($this->rootFolder->getUserFolder($share->getShareOwner())->getById($documentId)) === 0) {
 				throw new InvalidSessionException();
 			}
+
+			/** @psalm-suppress RedundantConditionGivenDocblockType */
+			if ($share->getPassword() !== null) {
+				$shareId = $this->session->get('public_link_authenticated');
+				if ($share->getId() !== $shareId) {
+					throw new InvalidSessionException();
+				}
+			}
+
+			if (($share->getPermissions() & Constants::PERMISSION_READ) !== Constants::PERMISSION_READ) {
+				throw new InvalidSessionException();
+			}
+
+			$attributes = $share->getAttributes();
+			if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
+				throw new InvalidSessionException();
+			}
 		} else {
 			throw new InvalidSessionException();
 		}