Disable the encryption of uploads, in line with other efforts not to encrypt local data.

This commit is contained in:
James Cole 2019-08-25 07:25:01 +02:00
parent 6b86a35ffb
commit af2f085aa7
8 changed files with 46 additions and 41 deletions

View File

@ -148,7 +148,7 @@ class DecryptDatabase extends Command
private function tryDecrypt($value) private function tryDecrypt($value)
{ {
try { try {
$value = Crypt::decrypt($value); $value = Crypt::decrypt($value); // verified
} catch (DecryptException $e) { } catch (DecryptException $e) {
if ('The MAC is invalid.' === $e->getMessage()) { if ('The MAC is invalid.' === $e->getMessage()) {
throw new FireflyException($e->getMessage()); // @codeCoverageIgnore throw new FireflyException($e->getMessage()); // @codeCoverageIgnore

View File

@ -30,6 +30,7 @@ use FireflyIII\Models\Attachment;
use Illuminate\Console\Command; use Illuminate\Console\Command;
use Illuminate\Contracts\Encryption\DecryptException; use Illuminate\Contracts\Encryption\DecryptException;
use Illuminate\Contracts\Filesystem\FileNotFoundException; use Illuminate\Contracts\Filesystem\FileNotFoundException;
use Log;
use Storage; use Storage;
/** /**
@ -51,7 +52,7 @@ class ScanAttachments extends Command
* *
* @var string * @var string
*/ */
protected $signature = 'firefly:scan-attachments'; protected $signature = 'firefly-iii:scan-attachments';
/** /**
* Execute the console command. * Execute the console command.
@ -62,21 +63,22 @@ class ScanAttachments extends Command
$disk = Storage::disk('upload'); $disk = Storage::disk('upload');
/** @var Attachment $attachment */ /** @var Attachment $attachment */
foreach ($attachments as $attachment) { foreach ($attachments as $attachment) {
$fileName = $attachment->fileName(); $fileName = $attachment->fileName();
$decryptedContent = '';
try { try {
$content = $disk->get($fileName); $encryptedContent = $disk->get($fileName);
} catch (FileNotFoundException $e) { } catch (FileNotFoundException $e) {
$this->error(sprintf('Could not find data for attachment #%d: %s', $attachment->id, $e->getMessage())); $this->error(sprintf('Could not find data for attachment #%d: %s', $attachment->id, $e->getMessage()));
continue; continue;
} }
try { try {
$decrypted = Crypt::decrypt($content); $decryptedContent = Crypt::decrypt($encryptedContent); // verified
} catch (DecryptException $e) { } catch (DecryptException $e) {
$this->error(sprintf('Could not decrypt data of attachment #%d: %s', $attachment->id, $e->getMessage())); Log::error(sprintf('Could not decrypt data of attachment #%d: %s', $attachment->id, $e->getMessage()));
continue; $decryptedContent = $encryptedContent;
} }
$tempFileName = tempnam(sys_get_temp_dir(), 'FireflyIII'); $tempFileName = tempnam(sys_get_temp_dir(), 'FireflyIII');
file_put_contents($tempFileName, $decrypted); file_put_contents($tempFileName, $decryptedContent);
$md5 = md5_file($tempFileName); $md5 = md5_file($tempFileName);
$mime = mime_content_type($tempFileName); $mime = mime_content_type($tempFileName);
$attachment->md5 = $md5; $attachment->md5 = $md5;

View File

@ -84,15 +84,20 @@ class AttachmentHelper implements AttachmentHelperInterface
*/ */
public function getAttachmentContent(Attachment $attachment): string public function getAttachmentContent(Attachment $attachment): string
{ {
$encryptedData = '';
try { try {
$content = Crypt::decrypt($this->uploadDisk->get(sprintf('at-%d.data', $attachment->id))); $encryptedData = $this->uploadDisk->get(sprintf('at-%d.data', $attachment->id));
} catch (FileNotFoundException $e) {
Log::error($e->getMessage());
}
try {
$unencryptedData = Crypt::decrypt($encryptedData); // verified
} catch (DecryptException|FileNotFoundException $e) { } catch (DecryptException|FileNotFoundException $e) {
Log::error(sprintf('Could not decrypt data of attachment #%d: %s', $attachment->id, $e->getMessage())); Log::error(sprintf('Could not decrypt data of attachment #%d: %s', $attachment->id, $e->getMessage()));
$content = ''; $unencryptedData = $encryptedData;
} }
return $content; return $unencryptedData;
} }
/** /**
@ -167,9 +172,8 @@ class AttachmentHelper implements AttachmentHelperInterface
return false; return false;
} }
// is allowed? Save the file! // is allowed? Save the file, without encryption.
$encrypted = Crypt::encrypt($content); $this->uploadDisk->put($attachment->fileName(), $content);
$this->uploadDisk->put($attachment->fileName(), $encrypted);
// update attachment. // update attachment.
$attachment->md5 = md5_file($path); $attachment->md5 = md5_file($path);
@ -275,12 +279,10 @@ class AttachmentHelper implements AttachmentHelperInterface
} }
$content = $fileObject->fread($file->getSize()); $content = $fileObject->fread($file->getSize());
$encrypted = Crypt::encrypt($content);
Log::debug(sprintf('Full file length is %d and upload size is %d.', strlen($content), $file->getSize())); Log::debug(sprintf('Full file length is %d and upload size is %d.', strlen($content), $file->getSize()));
Log::debug(sprintf('Encrypted content is %d', strlen($encrypted)));
// store it: // store it:
$this->uploadDisk->put($attachment->fileName(), $encrypted); $this->uploadDisk->put($attachment->fileName(), $content);
$attachment->uploaded = true; // update attachment $attachment->uploaded = true; // update attachment
$attachment->save(); $attachment->save();
$this->attachments->push($attachment); $this->attachments->push($attachment);

View File

@ -30,6 +30,7 @@ use FireflyIII\Helpers\Attachments\AttachmentHelperInterface;
use FireflyIII\Models\Attachment; use FireflyIII\Models\Attachment;
use FireflyIII\Models\Note; use FireflyIII\Models\Note;
use FireflyIII\User; use FireflyIII\User;
use Illuminate\Contracts\Encryption\DecryptException;
use Illuminate\Contracts\Filesystem\FileNotFoundException; use Illuminate\Contracts\Filesystem\FileNotFoundException;
use Illuminate\Support\Collection; use Illuminate\Support\Collection;
use Illuminate\Support\Facades\Storage; use Illuminate\Support\Facades\Storage;
@ -105,25 +106,27 @@ class AttachmentRepository implements AttachmentRepositoryInterface
public function getContent(Attachment $attachment): string public function getContent(Attachment $attachment): string
{ {
// create a disk. // create a disk.
$disk = Storage::disk('upload'); $disk = Storage::disk('upload');
$file = $attachment->fileName(); $file = $attachment->fileName();
$content = ''; $unencryptedContent = '';
if ($disk->exists($file)) { if ($disk->exists($file)) {
$encryptedContent = '';
try { try {
$content = Crypt::decrypt($disk->get($file)); $encryptedContent = $disk->get($file);
} catch (FileNotFoundException $e) { } catch (FileNotFoundException $e) {
Log::debug(sprintf('File not found: %e', $e->getMessage())); Log::error($e->getMessage());
$content = false; }
try {
$unencryptedContent = Crypt::decrypt($encryptedContent); // verified
} catch (DecryptException $e) {
Log::debug(sprintf('Could not decrypt: %e', $e->getMessage()));
$unencryptedContent = $encryptedContent;
} }
} }
if (\is_bool($content)) {
Log::error(sprintf('Attachment #%d may be corrupted: the content could not be decrypted.', $attachment->id));
return ''; return $unencryptedContent;
}
return $content;
} }
/** /**

View File

@ -243,10 +243,10 @@ class ImportJobRepository implements ImportJobRepositoryInterface
{ {
// this will overwrite all transactions currently in the job. // this will overwrite all transactions currently in the job.
$disk = Storage::disk('upload'); $disk = Storage::disk('upload');
$filename = sprintf('%s-%s.crypt.json', $job->created_at->format('Ymd'), $job->key); $filename = sprintf('%s-%s.json', $job->created_at->format('Ymd'), $job->key);
$array = []; $array = [];
if ($disk->exists($filename)) { if ($disk->exists($filename)) {
$json = Crypt::decrypt($disk->get($filename)); $json = $disk->get($filename);
$array = json_decode($json, true); $array = json_decode($json, true);
} }
if (false === $array) { if (false === $array) {
@ -329,8 +329,8 @@ class ImportJobRepository implements ImportJobRepositoryInterface
{ {
// this will overwrite all transactions currently in the job. // this will overwrite all transactions currently in the job.
$disk = Storage::disk('upload'); $disk = Storage::disk('upload');
$filename = sprintf('%s-%s.crypt.json', $job->created_at->format('Ymd'), $job->key); $filename = sprintf('%s-%s.json', $job->created_at->format('Ymd'), $job->key);
$json = Crypt::encrypt(json_encode($transactions)); $json = json_encode($transactions);
// set count for easy access // set count for easy access
$array = ['count' => count($transactions)]; $array = ['count' => count($transactions)];
@ -389,9 +389,8 @@ class ImportJobRepository implements ImportJobRepositoryInterface
$attachment->size = strlen($content); $attachment->size = strlen($content);
$attachment->uploaded = false; $attachment->uploaded = false;
$attachment->save(); $attachment->save();
$encrypted = Crypt::encrypt($content);
$this->uploadDisk->put($attachment->fileName(), $encrypted); $this->uploadDisk->put($attachment->fileName(), $content);
$attachment->uploaded = true; // update attachment $attachment->uploaded = true; // update attachment
$attachment->save(); $attachment->save();
@ -446,8 +445,7 @@ class ImportJobRepository implements ImportJobRepositoryInterface
} }
$content = $fileObject->fread($file->getSize()); $content = $fileObject->fread($file->getSize());
$encrypted = Crypt::encrypt($content); $this->uploadDisk->put($attachment->fileName(), $content);
$this->uploadDisk->put($attachment->fileName(), $encrypted);
$attachment->uploaded = true; // update attachment $attachment->uploaded = true; // update attachment
$attachment->save(); $attachment->save();

View File

@ -343,7 +343,7 @@ class Amount
private function tryDecrypt(string $value): string private function tryDecrypt(string $value): string
{ {
try { try {
$value = Crypt::decrypt($value); $value = Crypt::decrypt($value); // verified
} catch (DecryptException $e) { } catch (DecryptException $e) {
Log::debug(sprintf('Could not decrypt "%s". %s', $value, $e->getMessage())); Log::debug(sprintf('Could not decrypt "%s". %s', $value, $e->getMessage()));
} }

View File

@ -50,7 +50,7 @@ class FinTS
$config['fints_port'], $config['fints_port'],
$config['fints_bank_code'], $config['fints_bank_code'],
$config['fints_username'], $config['fints_username'],
Crypt::decrypt($config['fints_password']) Crypt::decrypt($config['fints_password']) // verified
); );
} }

View File

@ -57,7 +57,7 @@ class NewFinTSJobHandler implements FinTSConfigurationInterface
$config['fints_port'] = (int)($data['fints_port'] ?? ''); $config['fints_port'] = (int)($data['fints_port'] ?? '');
$config['fints_bank_code'] = (string)($data['fints_bank_code'] ?? ''); $config['fints_bank_code'] = (string)($data['fints_bank_code'] ?? '');
$config['fints_username'] = (string)($data['fints_username'] ?? ''); $config['fints_username'] = (string)($data['fints_username'] ?? '');
$config['fints_password'] = (string)(Crypt::encrypt($data['fints_password']) ?? ''); $config['fints_password'] = (string)(Crypt::encrypt($data['fints_password']) ?? ''); // verified
$config['apply-rules'] = 1 === (int)$data['apply_rules']; $config['apply-rules'] = 1 === (int)$data['apply_rules'];
// sanitize FinTS URL. // sanitize FinTS URL.