From b9493cc12d3753811d1715d055b40ad0e353082f Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Fri, 3 Jan 2025 10:04:51 +0100
Subject: [PATCH] fix(logger): Prevent infinite recursion with log.condition =>
 matches

When we need to check the log condition for a user matches,
there is a risk that something on the way checks the log level
and would result in an infinite loop.
So we simply check if it's a nested call and use the default
warning level in that case.

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 .../features/log-condition.feature            | 39 +++++++++++++++++++
 lib/private/Log.php                           | 12 ++++++
 2 files changed, 51 insertions(+)
 create mode 100644 build/integration/features/log-condition.feature

diff --git a/build/integration/features/log-condition.feature b/build/integration/features/log-condition.feature
new file mode 100644
index 0000000000000..4059db1ebf3ca
--- /dev/null
+++ b/build/integration/features/log-condition.feature
@@ -0,0 +1,39 @@
+# SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+# SPDX-License-Identifier: AGPL-3.0-or-later
+Feature: log-condition
+
+  Background:
+    Given invoking occ with "config:system:set log.condition matches 0 users 0 --value admin"
+    Then the command was successful
+
+  Scenario: Accessing /status.php with log.condition
+    When requesting "/status.php" with "GET"
+    Then the HTTP status code should be "200"
+
+  Scenario: Accessing /index.php with log.condition
+    When requesting "/index.php" with "GET"
+    Then the HTTP status code should be "200"
+
+  Scenario: Accessing /remote.php/webdav with log.condition
+    When requesting "/remote.php/webdav" with "GET"
+    Then the HTTP status code should be "401"
+
+  Scenario: Accessing /remote.php/dav with log.condition
+    When requesting "/remote.php/dav" with "GET"
+    Then the HTTP status code should be "401"
+
+  Scenario: Accessing /ocs/v1.php with log.condition
+    When requesting "/ocs/v1.php" with "GET"
+    Then the HTTP status code should be "200"
+
+  Scenario: Accessing /ocs/v2.php with log.condition
+    When requesting "/ocs/v2.php" with "GET"
+    Then the HTTP status code should be "404"
+
+  Scenario: Accessing /public.php/webdav with log.condition
+    When requesting "/public.php/webdav" with "GET"
+    Then the HTTP status code should be "401"
+
+  Scenario: Accessing /public.php/dav with log.condition
+    When requesting "/public.php/dav" with "GET"
+    Then the HTTP status code should be "503"
diff --git a/lib/private/Log.php b/lib/private/Log.php
index 4fce04367079f..e2b732473c2d4 100644
--- a/lib/private/Log.php
+++ b/lib/private/Log.php
@@ -37,6 +37,7 @@
 class Log implements ILogger, IDataLogger {
 	private ?bool $logConditionSatisfied = null;
 	private ?IEventDispatcher $eventDispatcher = null;
+	private int $nestingLevel = 0;
 
 	public function __construct(
 		private IWriter $logger,
@@ -196,6 +197,11 @@ public function log(int $level, string $message, array $context = []): void {
 	}
 
 	public function getLogLevel(array $context, string $message): int {
+		if ($this->nestingLevel > 1) {
+			return ILogger::WARN;
+		}
+
+		$this->nestingLevel++;
 		/**
 		 * @psalm-var array{
 		 *   shared_secret?: string,
@@ -246,6 +252,7 @@ public function getLogLevel(array $context, string $message): int {
 
 		// if log condition is satisfied change the required log level to DEBUG
 		if ($this->logConditionSatisfied) {
+			$this->nestingLevel--;
 			return ILogger::DEBUG;
 		}
 
@@ -260,6 +267,7 @@ public function getLogLevel(array $context, string $message): int {
 			 * once this is met -> change the required log level to debug
 			 */
 			if (in_array($context['app'], $logCondition['apps'] ?? [], true)) {
+				$this->nestingLevel--;
 				return ILogger::DEBUG;
 			}
 		}
@@ -272,6 +280,7 @@ public function getLogLevel(array $context, string $message): int {
 
 			// Invalid configuration, warn the user and fall back to default level of WARN
 			error_log('Nextcloud configuration: "loglevel" is not a valid integer');
+			$this->nestingLevel--;
 			return ILogger::WARN;
 		}
 
@@ -285,12 +294,15 @@ public function getLogLevel(array $context, string $message): int {
 				if (!isset($option['apps']) && !isset($option['loglevel']) && !isset($option['message'])) {
 					/* Only user and/or secret are listed as conditions, we can cache the result for the rest of the request */
 					$this->logConditionSatisfied = true;
+					$this->nestingLevel--;
 					return ILogger::DEBUG;
 				}
+				$this->nestingLevel--;
 				return $option['loglevel'] ?? ILogger::DEBUG;
 			}
 		}
 
+		$this->nestingLevel--;
 		return ILogger::WARN;
 	}