block access to the filecache tables by default

Signed-off-by: Robin Appelman <robin@icewind.nl>

Author: icewind1991

lib/private/DB/QueryBuilder/QueryBuilder.php

@@ -76,6 +76,19 @@ class QueryBuilder implements IQueryBuilder {
 	/** @var string */
 	protected $lastInsertedTable;
 
+	/**
+	 * Tables that require special attention and thus can't be queried by default
+	 *
+	 * @var list<string>
+	 */
+	protected array $shardedTables = [
+		'filecache',
+		'filecache_extended',
+		'files_metadata'
+	];
+
+	protected bool $sharded = false;
+
 	/**
 	 * Initializes a new QueryBuilder.
 	 *
@@ -677,6 +690,17 @@ public function insert($insert = null) {
 		return $this;
 	}
 
+	/**
+	 * @param string $table
+	 * @return void
+	 * @throws \Exception
+	 */
+	private function checkTableAccess(string $table) {
+		if (in_array($table, $this->shardedTables) !== $this->sharded) {
+			throw new \Exception("current query isn't allowed to access the $table table");
+		}
+	}
+
 	/**
 	 * Creates and adds a query root corresponding to the table identified by the
 	 * given alias, forming a cartesian product with any existing query roots.
@@ -693,6 +717,7 @@ public function insert($insert = null) {
 	 * @return $this This QueryBuilder instance.
 	 */
 	public function from($from, $alias = null) {
+		$this->checkTableAccess($from);
 		$this->queryBuilder->from(
 			$this->getTableName($from),
 			$this->quoteAlias($alias)
@@ -719,6 +744,8 @@ public function from($from, $alias = null) {
 	 * @return $this This QueryBuilder instance.
 	 */
 	public function join($fromAlias, $join, $alias, $condition = null) {
+		$this->checkTableAccess($join);
+
 		$this->queryBuilder->join(
 			$this->quoteAlias($fromAlias),
 			$this->getTableName($join),
@@ -747,6 +774,8 @@ public function join($fromAlias, $join, $alias, $condition = null) {
 	 * @return $this This QueryBuilder instance.
 	 */
 	public function innerJoin($fromAlias, $join, $alias, $condition = null) {
+		$this->checkTableAccess($join);
+
 		$this->queryBuilder->innerJoin(
 			$this->quoteAlias($fromAlias),
 			$this->getTableName($join),
@@ -775,6 +804,8 @@ public function innerJoin($fromAlias, $join, $alias, $condition = null) {
 	 * @return $this This QueryBuilder instance.
 	 */
 	public function leftJoin($fromAlias, $join, $alias, $condition = null) {
+		$this->checkTableAccess($join);
+
 		$this->queryBuilder->leftJoin(
 			$this->quoteAlias($fromAlias),
 			$this->getTableName($join),
@@ -803,6 +834,8 @@ public function leftJoin($fromAlias, $join, $alias, $condition = null) {
 	 * @return $this This QueryBuilder instance.
 	 */
 	public function rightJoin($fromAlias, $join, $alias, $condition = null) {
+		$this->checkTableAccess($join);
+
 		$this->queryBuilder->rightJoin(
 			$this->quoteAlias($fromAlias),
 			$this->getTableName($join),
@@ -1360,4 +1393,16 @@ public function quoteAlias($alias) {
 	public function escapeLikeParameter(string $parameter): string {
 		return $this->connection->escapeLikeParameter($parameter);
 	}
+
+	/**
+	 * Mark the query as accessing the sharded tables
+	 *
+	 * Proper attention needs to be given to ensure that all requirements for accessing the sharded tables
+	 *
+	 * @param bool $sharded
+	 * @return void
+	 */
+	public function setSharded(bool $sharded): void {
+		$this->sharded = $sharded;
+	}
 }

tests/lib/Files/Cache/SearchBuilderTest.php

@@ -22,6 +22,7 @@
 namespace Test\Files\Cache;
 
 use OC\DB\QueryBuilder\Literal;
+use OC\DB\QueryBuilder\QueryBuilder;
 use OC\Files\Cache\SearchBuilder;
 use OC\Files\Search\SearchBinaryOperator;
 use OC\Files\Search\SearchComparison;
@@ -50,7 +51,9 @@ class SearchBuilderTest extends TestCase {
 
 	protected function setUp(): void {
 		parent::setUp();
+		/** @var QueryBuilder builder */
 		$this->builder = \OC::$server->getDatabaseConnection()->getQueryBuilder();
+		$this->builder->setSharded(true);
 		$this->mimetypeLoader = $this->createMock(IMimeTypeLoader::class);
 
 		$this->mimetypeLoader->expects($this->any())