fix(attachments): return 404 when attachment path resolves to a folder#1923
Open
MiMoHo wants to merge 1 commit into
Open
fix(attachments): return 404 when attachment path resolves to a folder#1923MiMoHo wants to merge 1 commit into
MiMoHo wants to merge 1 commit into
Conversation
getAttachment() relied on assert() to ensure the resolved node is a File. assert() is a no-op with the production setting zend.assertions=-1, so a path pointing at a directory produced a TypeError from the ": File" return type. TypeError is a \Error and is not caught by the controllers' catch(\Exception), ending the request in HTTP 500 instead of 404. Guard the type explicitly and throw NoteDoesNotExistException, mirroring the existing pattern in getFileById(). Signed-off-by: Milan <37556964+MiMoHo@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
NotesService::getAttachment()resolves the requested path relative to the note's category folder and returns the node fromFolder::get(). When that path resolves to a directory, the method relied onassert($targetNode instanceof \OCP\Files\File).Problem
assert()is a no-op in production, wherezend.assertions=-1is the setting shipped inphp.ini-production. Withdeclare(strict_types=1)and the: Filereturn type, returning aFolderthen raises aTypeError.TypeErroris a\Error, not a\Exception, so it is not caught by thecatch (\Exception)blocks inNotesController::getAttachment()andNotesApiController::getAttachment(). The request ends in HTTP 500 instead of a clean 404.Reachable e.g. via
GET /apps/notes/notes/{id}/attachment?path=on a note that has a category, because the resolved path then points at the category folder.Fix
Replace the assertion with an explicit
instanceofguard that throwsNoteDoesNotExistException. This mirrors the idiom already used ingetFileById()in the same file, keeps theNodetoFilenarrowing for Psalm, and lets the existing controllercatch (\Exception)turn it into a 404. No new imports required.Type
Robustness / correctness. No security impact, no change to successful requests.
How to test
work.GET /apps/notes/notes/{id}/attachment?path=for that note.Checklist
composer cs:checkcomposer psalmphp -lcleanSigned-off-byline present for DCO🤖 AI (if applicable)