Bug: Don't generate a public link token for internal circle team share#2443
Bug: Don't generate a public link token for internal circle team share#2443T0mWz wants to merge 4 commits intonextcloud:masterfrom
Conversation
… internal team share
|
This issue is related to pull request; #2390 |
|
@cristianscheid please can you review this? |
T0mWz
changed the title
T0mWz
changed the title
|
Hi @T0mWz, thanks for the PR! I'm currently reviewing and testing the impact of this fix. I'll keep you posted. |
|
After testing the fix locally, I found it introduces a new bug when sharing a folder with a team that has members added by email (like below). |
|
Hi @cristianscheid , Sorry for my late reply. You’re absolutely right. I hadn’t tested this properly either; I can now see the Internal Server Error on my end too, although it’s still with NC32. With Nextcloud Circles, a share can be created with users within Nextcloud. However, external users can also be added based on their email address. When sharing via a Nextcloud Circle, a share type 7 is added to the oc_share table. Separate from the share with the circle, a public link token is also added. This token is now directly accessible to everyone without any form of security, but is necessary for the underlying circle token. This patch omits the setToken, but it is still required behind the scenes for those receiving the share via the Circle. Currently, public links rely entirely on the oc_share token entry. With my recently (extra) pushed patch, a change has been added to the getShareByToken function in the circle app, ensuring that a circles-token lookup also takes place in oc_circles_token and is not dependent on oc_share.token. The oc_share.token can then remain empty or be assigned a non-routable value. Could you check whether this solves the problem for you as well? Thanks, Tom |
| $shareWrapper = $this->shareWrapperService->getShareByCirclesToken($token); | ||
| } catch (ShareWrapperNotFoundException $e2) { | ||
| throw new ShareNotFound( | ||
| 'Share not found for token (tried both oc_share and oc_circles_token): ' . $token | ||
| ); |
There was a problem hiding this comment.
Looks like a duplicate of the fallback in getShareByToken, no?
| // Fallback: search using oc_circles_token.token | ||
| // This is necessary when oc_share.token is empty or does not match, | ||
| // but the circles token does exist. |
There was a problem hiding this comment.
I don't think that is true, I think getShareByToken will match the circle token, meaning that the fallback is useless.
| if ($shareWrapper->getToken() === '' || $shareWrapper->getToken() === null) { | ||
| $shareWrapper->setToken($token); | ||
| } |
There was a problem hiding this comment.
Maybe we should simply return the oc_circles_token.token in ShareWrapper->getToken() instead of the oc_share.token?
… share by its circles token. Also set the circles token on the IShare object correct based on circles output.
|
Thanks for your feedback @artonge ! What I tested:
What changed:
Summary of this change: To prevent unauthenticated access, oc_share.token can be left empty. This change adds a fallback in ShareWrapperService::getShareByToken() that looks up the share via oc_circles_token.token when no match is found in oc_share.token. After the IShare object is constructed from the database, the circles token is applied to it directly, ensuring the router always receives a valid non-empty token. |
… share by its circles token. Also set the circles token on the IShare object correct based on circles output.
|
The issue this PR aimed to address should now be resolved by this other PR: #2454. Shall we go ahead and close this one? |
|
Hello there, We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process. Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6 Thank you for contributing to Nextcloud and we hope to hear from you soon! (If you believe you should not receive this message, you can add yourself to the blocklist.) |
4 participants
Issue
When sharing data with a team, a public link token is inadvertently generated alongside the secure internal share link for authenticated users. This public link has the same access rights and, until recently, was shared with team members via email.
Although the recipients were already authorised to access this data, recipients of the email may have forwarded it to third parties, thereby allowing them – without authorisation – to gain access with the same rights as an authorised person. Team members are no longer informed of this, but a public link token is still generated behind the scenes.
This public link token can easily be guessed using a randomiser, thereby allowing unauthorised access to data that should not have been publicly accessible.
How to reproduce
Create a team via the contacts. Then share a dataset with custom permissions with this team.
** Result **
You can view this data without authentication via the public link token (8ui9FePpNwznze8), with the assumption that it has only been shared with team members via authorised access.