Comments (7)
Dictionary attacks would become a concern, yes. Token enumeration is already possible if highly unlikely, although I assume the endpoint is brute force protected, so it's expensive and time consuming.
Could also lead to token leaks as two identical tokens aren't possible, so a (guest) user might try creating shares at random to guess at other tokens. If we add the userId
to the token, that could work as a preventative measure so each token only needs to be unique to each user space. The token controller will need to first check the userId
against the logged-in user so somebody can't fake the userId
in a request and try collision based guessing that way, but then the benefit of having a custom token is minimized.
If we do this, I'd recommend enforcing a password.
I'd also suggest a minimum length for the token. Not great if the user chooses something really short.
In short, there are definitely some risks to this, and I can't really see the benefits. Maybe a link shortener integration could be a viable alternative?
from server.
Dictionary attacks would become a concern, yes. Token enumeration is already possible if highly unlikely, although I assume the endpoint is brute force protected, so it's expensive and time consuming.
Could also lead to token leaks as two identical tokens aren't possible, so a (guest) user might try creating shares at random to guess at other tokens. If we add the
userId
to the token, that could work as a preventative measure so each token only needs to be unique to each user space. The token controller will need to first check theuserId
against the logged-in user so somebody can't fake theuserId
in a request and try collision based guessing that way, but then the benefit of having a custom token is minimized.If we do this, I'd recommend enforcing a password.
I'd also suggest a minimum length for the token. Not great if the user chooses something really short.
In short, there are definitely some risks to this, and I can't really see the benefits. Maybe a link shortener integration could be a viable alternative?
this is basically an accepted risk - it is meant for small home user instances where I might want to share vacation photos with family using an easy to remember link. That that makes the link easy to find is something we will warn about in the UI, but it's inherent to the solution. Adding a (mandatory) password would defeat the purpose of this ;-)
On large instances it's a rather dumb idea to do it, but then we don't intend to promote it for that. It's pure for home users.
FWIW, I use the app that implements this myself.
from server.
So should this be a separate app so that it can be removed during building the enterprise archive?
from server.
@szaimen yes.
Ideally we adapt and include https://apps.nextcloud.com/apps/cfg_share_links or https://apps.nextcloud.com/apps/sharerenamer in the community edition.
from server.
@miaulalala could you give an security opinion on that feature?
from server.
could be a security issue. Mitigations:
add a warning?
A warning is fine, yes. When you want to give a name, you want it to be easier visible.
optionally enforce password protection?
Optional if at all, but again, the point of giving a simple share name is the ability to remember. If you then have to remember a separate password it defeats the purpose and you might as well have pasted the complicated link.
enforce a minimum set of dictionary words? (minimal 2, optionally configurable?)
Straight no on that one. Again if you change the name you want it to be simple. :)
from server.
The simplest way to address the enterprise migration part I think is to have a separate custom share token alongside the generated token that is available on community instances and disabled on enterprise automatically with a check.
This removes the complexity of having to "migrate" anything such as overwriting a custom token that may have been set in-place of the generated token, as would be needed based on the implementations in the apps mentioned previously. To detect this we can use:
Unfortunately the code is quite tightly coupled at the moment which makes it infeasible to simply add a hook/plugin in a separate app to handle custom tokens. But allowing custom tokens in the existing code is not complicated.
from server.
Related Issues (20)
- [Bug]: Call to a member function getPath() on null in file ShareController
- [Bug]: Drag N Drop Tasks crashes Chrome browsers HOT 1
- [Bug]: File corruption when moving files with encryption enabled HOT 2
- Nextcloud Hub and Major Version numbering
- Annual release of Nextcloud within supported majors
- [Bug]: Autocomplete user search API does not partial match the current user
- [Bug]: occ files:copy fails with large files HOT 2
- [Bug]: Missing v30.0.0 Release set as Latest HOT 3
- [Bug]: Integrity check complains about nextcloud-init-sync.lock HOT 9
- After update from 29 to 30. Invalid private key for encryption app. Message HOT 2
- [Bug]: Failed to copy stream to external storage NC28.0.10 HOT 1
- [Bug]: After update from 29 to 30, I get "Your web server is not properly set up to resolve `.well-known` URLs" HOT 2
- [Bug]: Accounts table has hidden columns with higher zoom levels in the browser
- [Ehancement]: Add tooltips on server status indicators for federated sharing
- [Bug]: Misiing Nectcloud.oc_jobs HOT 1
- [Bug]: .md files cannot open, just produce an infinite spinner HOT 1
- [Bug]: Creating a new document doesn't do anything / Content-Security-Policy violation HOT 9
- Permanent update notification despite system already updated… HOT 2
- [Bug]: Strange format text in “Security & setup warnings” message HOT 2
- [Bug]: System config option "blacklisted_files" is deprecated HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from server.