-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add events to QueryBuilder
class
#36572
Conversation
331d4a8
to
5145ef6
Compare
This is already available by setting the following config: server/config/config.sample.php Lines 2225 to 2232 in dde5c46
Regarding the events:From my POV this looks like an interesting idea, but it has the option to fail very hard performance-wise. Regarding column encryption: Also any user that has access to the database mostlikely also has access to the source code, so the encryption is not helping a lot. Which use/attack case are you trying to prevent? |
Yes, this is true - if used incorrectly, these events can be a huge performance failure. However, based on my early usage of this code, there really isn't a noticible performance hit when done well. (Also, let's be honest. Plenty of integrations have the potential for bad performance unless you build them right. Some might be even worse than this).
The integration I wrote uses That said, yes - this is a very unique implementation with very specific use-cases, and it could lead to negative effects. However, those use-cases DO exist. Also, there are other NC APIs that can impact performance even worse when used incorrectly. Thank you for your feedback. Let me know if you have further questions, comments, or suggestions - happy to discuss! |
I get that, but the server might need to write data without the user password being available (e.g. in a background job, or when others trigger an update of "your" data. So the server is able to encrypt/decrypt and therefor also the sysadmin and any one that hacks themselves access to the server. |
Well, I decided to use Database encryption is my particular use-case for this PR, but I am sure there are other reasons why these events might be useful. |
5145ef6
to
0bab7ae
Compare
@nickvergessen, I took some metrics to address the subject of performance. This is not the most scientific calculation, but it provides a rough estimate. I created a contact in NC and edited it multiple times. Then, I enabled my
Again, this is just my use-case for adding |
What else is required for this PR? I'm not sure how to make CI happy... |
But the biggest problem is technical. This is a very fragile thing to be added. It comes with great risk (performance and listing to the event while triggering a SQL query will cause an infinite loop) and therefore we are currently unsure if this is the way to go, especially since the target usecase is soo limited. It does not even prevent admins from doing "bad" things, as they have access to the keys as well. So the only thing it would help against is when your database storage is stolen but not the nextcloud one? |
I completely understand the concerns regarding the events being very fragile and risky. However, I would like to respectfully push back a little. Many existing events in NC are fragile, risky, can lead to infinite loops, and allow admins to do bad things. There are events that allow developers to interact with the authentication process, user/group creation, and even password updates. Are there really that many use cases for My proposed events really aren't much different. Yes, the use cases are limited, but so are many events. That doesn't mean that there aren't valid use cases. Yes, directly accessing database queries is generally avoided because it is risky, but there are TONS of internal elements of the NC framework already exposed to developers. Many of them are just as risky. Yes, this could lead to infinite loops if improperly used, but even the most benign APIs can lead to infinite loops if not used correctly. This has happened to every developer at some point. I think this is the nature of open source and security. Systems should be as malleable as possible (even if it is risky) so developers don't have to "hack" system internals. In turn, developers should make their code available for public review and scrutiny. With that in mind, which option is more responsible?
Either method will accomplish the same goal, but I think the second option is much more responsible. That is why I am pursuing it. I am certainly open to feedback and suggestions, however. |
Any thoughts on how to better structure this and still provide the same sort of functionality, @nickvergessen? It's a touchy integration, but it's better than overriding classes in my NC instances. Plus, I could provide my app that enables per-user column encryption, and I think a lot of people would benefit from that (there are open tickets asking for that feature). |
0bab7ae
to
0cc6fdb
Compare
You modified 3rdparty? That should not be needed. On that note, what is needed is |
0cc6fdb
to
0352be0
Compare
0352be0
to
cff9699
Compare
@nickvergessen, the postgres11-php8.0 CI test is failing because Postgres fails to respond. I don't think this is an issue with my code - the test just failed to properly run, I believe. |
Yeah, seems unrelated |
cff9699
to
d805aad
Compare
@nickvergessen, looks like I've finally gotten past CI - hurrah! Sorry for being such a noob on this PR. It's my first PR to a project this complex, so I had a lot to learn. |
This comment was marked as resolved.
This comment was marked as resolved.
540d24a
to
dc75465
Compare
clean up php lint update autoloaders add phpdoc to public methods fix docblock rebase to master Update lib/public/DB/QueryBuilder/Events/AfterQueryExecuted.php Co-authored-by: Joas Schilling <[email protected]> Signed-off-by: summersab <[email protected]> Update lib/public/DB/QueryBuilder/Events/BeforeQueryExecuted.php Co-authored-by: Joas Schilling <[email protected]> Signed-off-by: summersab <[email protected]> update class file names to match changes from nickvergessen update class file names to match changes from nickvergessen; fix DCO Signed-off-by: Andrew Summers <[email protected]> update autoloaders
dc75465
to
ca77486
Compare
Summary
This provides events before and after the execution of
QueryBuilder
objects in order to modifyQueryBuilder
elements, the query results, or both. While it may seem like this is only useful for niche applications (or potentially dangerous), there are valid instances where intercepting DB queries and results are extremely useful (or even necessary).Being able to intercept queries and/or results in order to restrict access, redact information, or even generate query-level logs would require the ability to access the
QueryBuilder
class before and/or after execution.One application that I have implemented for my organization is adding column-level encryption on a per-user basis. Without being able to access the
QueryBuilder
class immediately before execution, this integration would be impossible. Once this PR is accepted and my integration is tested more thoroughly in production, I plan to make my code publicly available so administrators may encrypt information in the NC database such as contact and calendar data.Checklist