Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upload is not prevented (only store the final .file is) #211

Closed
solracsf opened this issue Sep 9, 2021 · 6 comments
Closed

Upload is not prevented (only store the final .file is) #211

solracsf opened this issue Sep 9, 2021 · 6 comments

Comments

@solracsf
Copy link
Member

solracsf commented Sep 9, 2021

About https://docs.nextcloud.com/server/latest/admin_manual/file_workflows/access_control.html#prevent-uploading-of-specific-files

Setting a rule like
image

Will NOT prevent the file upload >100 MB. File will be fully uploaded by the client to the server but final MOVE of the .file will be denied, wasting both server tmp ressources and client Server+Bandwidth.

Upload should be prevented by checking the file size BEFORE the upload, not after.

@solracsf solracsf changed the title File Access Control : Upload is not prevented (store the file is) Upload is not prevented (store the file is) Sep 9, 2021
@solracsf solracsf changed the title Upload is not prevented (store the file is) File Access Control : Upload is not prevented (store the file is) Sep 9, 2021
@solracsf solracsf transferred this issue from nextcloud/server Sep 9, 2021
@solracsf solracsf changed the title File Access Control : Upload is not prevented (store the file is) Upload is not prevented (only store the final .file is) Sep 9, 2021
@solracsf
Copy link
Member Author

solracsf commented Sep 9, 2021

It applies to any filter i think. File is always uploaded, and "filtered" after the upload.
A rule like this and a .pst upload is only denied after the file is fully uploaded too.

image

@nickvergessen
Copy link
Member

If you have access to "master", can you check if it works there?
I suspect #310 or #330 solve this?

@pyretta84
Copy link

pyretta84 commented Oct 5, 2023

I have the same issue. On your documentation page (https://docs.nextcloud.com/server/latest/admin_manual/file_workflows/access_control.html) you've said: "If access to a file has been denied for a user, the user can not: Create/upload the file", but this isn't true.

I really need to restrict the uploadable file types to image files only.
So I selected the flow for "block access to a file" (File Access Control) and use the trigger "file MIME type" does not match "images" and I gave the specific folder an restricted tag "Images Only" and choose this tag also in that flow to apply that flow to that folder - as you mentioned in your manual/documention linked above as well.

But I can upload everything - if I share the link to anonymous users it is even more important to restrict the upload possibilities! I could even upload JS files, SH files, php or sql files - everything! No setting on that File Access Control flow apply in the upload process - no file size observer, no MIME type observers, nothing. That is a real security issue! And you really need to update your manual if the upload of files can't be managed, because it doesn't work.

But really this should be. A file management program - a cloud service, which has the ability to let anonymous users upload files has to be able to restrict the uploads. It's really essential.

Please help us fix this. Thank you very much.

Here a Screenshot of my settings I made in the flow:
image

I could upload any file type - not just images.
Even if I restict it to filenames /.*\.(jpg|png|jpeg)/ - nothing changes and nothing apply to the upload process.

To your information, here are my used specs:
Nextcloud Hub 6 (27.1.1)
File access control 1.17.1
Operating System: Linux 5.10.0-13-amd64 x86_64
PHP 8.2.10
mySQL 8.0.34

EDIT/UPDATE: I even installed a completely new Nextcloud with only the basic applications active to prevent some applications from interfering with the functions of this File Access Control application. Nothing changed.

@pyretta84
Copy link

pyretta84 commented Oct 5, 2023

After some further checks I think I figured something out.

If I only try the following, it works as expected:
image

Result: I can't upload any file which has a lesser size than 2 MB into that tagged folder. Great!

But if I add only one further option - no matter what - it crashes the rule.
So I thought only one option is allowed and tried it with MIME type. The result was, that the tagged folder can't be opened again - because it doesn't match that MIME type obviously. Same thing with filenames.

So the only thing what is working here is "file size (uploaded)" - everything else isn't working in combination with "file system tag" if that tag applies to the parent folder of the uploaded files, which is what I would need.

I think it needs extra options for "File mime type (uploaded)" which is mentioned in that documentation but is not available as a option (anymore?). I don't have this option... as you can see in this screenshot:
image

@nickvergessen
Copy link
Member

nickvergessen commented Oct 5, 2023

https://user-images.githubusercontent.com/147012991/272773397-f26aa042-159b-4ed4-a639-497a155192ce.png

The rules are "and" connected.
The rule says if the file size is smaller than 2 MB and bigger than 20 MB.
A file can never be both at the same time, so the rule will never match.

Since you want to block uploads if one of the cases matches, and we don't have "or" connection, you need to create 3 different rule sets (which basically is the or):
(Also you need to add a exclusion for folders, otherwise the tagged folder itself will not be accessible)

1. Block non-images

  • File system tag > is tagged with > "Image Only"
  • File MIME type > is not > Images
  • File MIME type > is not > Folder

2. Block smaller files

  • File system tag > is tagged with > "Image Only"
  • File size (upload) > less > 2 MB
  • File MIME type > is not > Folder

3. Block bigger files

  • File system tag > is tagged with > "Image Only"
  • File size (upload) > greater > 20 MB
  • File MIME type > is not > Folder

@pyretta84
Copy link

pyretta84 commented Oct 5, 2023

Thank you very much! I thought your proposal should be working - but not exactly as you mentioned. But you put me on my way to solv it.

This thing with the folder seems not to work:
image

But if I create for every mime type group and every other option I needed a own rule, it works.
It's not restricted to that folder anymore, but for the moment it would be fitting.

image

I needed to use custom mime types like /^application\/(rar|vnd.rar|x-rar-compressed|octet-stream|zip|gzip|x-zip-compressed|x-tar|x-sh|sh|rtf|x-httpd-php|pdf||ogg|vnd.oasis.opendocument.text|vnd.oasis.opendocument.spreadsheet|nd.apple.installer+xml|xhtml+xml|xml|html|json|ld+json|javascript|java-archive|x-csh|x-bzip2|x-bzip|x-freearc|x-7z-compressed|vnd.mozilla.xul+xml)$/i or /^text\/(plain|css|csv|calendar|javascript|sh|x-sh|html|xml)$/i

this worked for me. Thank you very much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants