Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: generate system report doesn't remove all sensitive values #42530

Closed
6 of 8 tasks
isdnfan opened this issue Dec 29, 2023 · 6 comments · Fixed by #42658
Closed
6 of 8 tasks

[Bug]: generate system report doesn't remove all sensitive values #42530

isdnfan opened this issue Dec 29, 2023 · 6 comments · Fixed by #42658
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 28-feedback bug feature: occ privacy

Comments

@isdnfan
Copy link

isdnfan commented Dec 29, 2023

⚠️ This issue respects the following points: ⚠️

Bug description

when looking for support and admin is expected to run https://cloud.tld/settings/admin/support > [Generate system report]. This report lists different settings and installed apps. It also replace sensitive values like passwords with predefined string "REMOVED SENSITIVE VALUE".

In NC27 and NC28 (likely all versions) some sensitive value remain unchanged. This are:

  • overwritehost
  • overwrite.cli.url
  • trusted_domains
  • serverinfo > token ( used to access system metrics without user )
  • preview_imaginary_url
  • TURN servers (maybe STUN as well - not used in my installation)

Steps to reproduce

  1. access https://cloud.tld/settings/admin/support
  2. click on [Generate system report]
  3. review the report

comand tool occ config:list system has the same flow.

Expected behavior

please include the mentioned values into the replacement mechanism to avoid leak of sensitive data.

Installation method

Community Docker image

Nextcloud Server version

28

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 22 to 23)

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

  • Default user-backend (database)
  • LDAP/ Active Directory
  • SSO - SAML
  • Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***MANUALLY REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "27.1.4.1",
        "overwrite.cli.url": "***MANUALLY REMOVED SENSITIVE VALUE***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "overwritehost": "***MANUALLY REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "loglevel": 1,
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "ssl",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "PLAIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "app_install_overwrite": [
            "joplin",
            "twofactor_webauthn",
            "twofactor_admin",
            "groupfolders",
            "impersonate",
            "sharelisting"
        ],
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "theme": "",
        "default_phone_region": "CH",
        "allow_local_remote_servers": true,
        "serverinfo": {
            "token": "***MANUALLY REMOVED SENSITIVE VALUE***"
        },
        "session_keepalive": "true",
        "memories.exiftool": "\/var\/www\/html\/custom_apps\/memories\/bin-ext\/exiftool-amd64-glibc",
        "preview_max_x": "1400",
        "preview_max_y": "800",
        "preview_max_scale_factor": "1",
        "jpeg_quality": "60",
        "memories.vod.path": "\/var\/www\/html\/custom_apps\/memories\/bin-ext\/go-vod-amd64",
        "enabledPreviewProviders": [
            "OC\\Preview\\MP3",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\OpenDocument",
            "OC\\Preview\\Krita",
            "OC\\Preview\\Imaginary"
        ],
        "preview_concurrency_all": "12",
        "preview_concurrency_new": "8",
        "preview_imaginary_url": "***MANUALLY REMOVED SENSITIVE VALUE***",
        "log_rotate_size": 52428800
    }
}

List of activated Apps

Enabled:
  - activity: 2.19.0
  - admin_audit: 1.17.0
  - bookmarks: 13.1.1
  - bruteforcesettings: 2.7.0
  - calendar: 4.6.0
  - cfg_share_links: 4.2.0
  - cloud_federation_api: 1.10.0
  - comments: 1.17.0
  - contacts: 5.4.2
  - contactsinteraction: 1.8.0
  - dav: 1.27.0
  - federatedfilesharing: 1.17.0
  - federation: 1.17.0
  - files: 1.22.0
  - files_accesscontrol: 1.17.1
  - files_pdfviewer: 2.8.0
  - files_reminders: 1.0.0
  - files_rightclick: 1.6.0
  - files_sharing: 1.19.0
  - files_trashbin: 1.17.0
  - files_versions: 1.20.0
  - forms: 3.4.2
  - groupfolders: 15.3.1
  - impersonate: 1.14.0
  - logreader: 2.12.0
  - lookup_server_connector: 1.15.0
  - mail: 3.4.6
  - maps: 1.1.1
  - memories: 6.1.5
  - notifications: 2.15.0
  - notify_push: 0.6.5
  - oauth2: 1.15.1
  - password_policy: 1.17.0
  - photos: 2.3.0
  - polls: 5.4.2
  - previewgenerator: 5.4.0
  - privacy: 1.11.0
  - provisioning_api: 1.17.0
  - recognize: 5.0.3
  - related_resources: 1.2.0
  - richdocuments: 8.2.3
  - serverinfo: 1.17.0
  - settings: 1.9.0
  - sharebymail: 1.17.0
  - shareimporter: 1.1.0
  - sharelisting: 1.2.0
  - snappymail: 2.30.0
  - spreed: 17.1.3
  - survey_client: 1.15.0
  - systemtags: 1.17.0
  - text: 3.8.0
  - theming: 2.2.0
  - theming_customcss: 1.15.0
  - twofactor_backupcodes: 1.16.0
  - twofactor_nextcloud_notification: 3.8.0
  - twofactor_totp: 9.0.0
  - twofactor_webauthn: 1.3.2
  - user_oidc: 1.3.5
  - user_status: 1.7.0
  - viewer: 2.1.0
  - workflowengine: 2.9.0
Disabled:
  - analytics: 4.9.4 (installed 4.9.4)
  - circles: 27.0.1 (installed 0.19.11)
  - dashboard: 7.7.0 (installed 7.3.0)
  - encryption: 2.15.0
  - files_external: 1.19.0 (installed 1.16.1)
  - firstrunwizard: 2.16.0 (installed 2.10.0)
  - nextcloud_announcements: 1.16.0 (installed 1.12.0)
  - notes: 4.8.0 (installed 4.8.0)
  - recommendations: 1.6.0 (installed 1.1.0)
  - support: 1.10.0 (installed 1.5.0)
  - suspicious_login: 5.0.0 (installed 5.0.0)
  - tasks: 0.15.0 (installed 0.15.0)
  - twofactor_admin: 4.1.9 (installed 4.1.9)
  - updatenotification: 1.17.0 (installed 1.13.0)
  - user_ldap: 1.17.0
  - weather_status: 1.7.0 (installed 1.1.0)

Nextcloud Signing status

No response

Nextcloud Logs

N/A

Additional info

No response

@isdnfan isdnfan added 0. Needs triage Pending check for reproducibility or if it fits our roadmap bug labels Dec 29, 2023
@joshtrichards joshtrichards added feature: occ 28-feedback stale Ticket or PR with no recent activity privacy and removed stale Ticket or PR with no recent activity labels Dec 30, 2023
@nickvergessen
Copy link
Member

For the record, we don't consider domains sensitive values and in fact the overwrite.cli.url, turn server and others are often helpful to indicate or the actual cause of bugs in apps or configurations.

The serverinfo token and imaginary url however should be removed.

On that note please follow our security policy next time for reports like this https://github.com/nextcloud/server/blob/master/SECURITY.md and report at https://hackerone.com/nextcloud

@isdnfan
Copy link
Author

isdnfan commented Jan 3, 2024

Thank you for your comment, in case I would report it via security procedure in the future - I was under impression this is not really sensitive as the issue itself exists for long time already.

Definitely domains, IPs and hostnames are less sensitive than passwords. But all kind of information should be treated the same. I don't see any good reason why dbhost, dbname, mail_smtphost and redis host are "sensitive" and trusted_domains and overwrite* are not..

From my experience in help.nextcloud.com forum people tend to mask this data - I think implementing this by default would be "expected".

@nickvergessen
Copy link
Member

nickvergessen commented Jan 9, 2024

But all kind of information should be treated the same. I don't see any good reason why dbhost, dbname, mail_smtphost and redis host are "sensitive" and trusted_domains and overwrite* are not..

Well the bug reports we received where dbhost, dbname, mail_smtphost and redis host where the root cause are single digit. trusted_domains and overwrite.cli.url are quite regularly the root cause (multiple times per month) because people change their domain, misconfigure a proxy or other things. Also quite regularly sub-paths cause issues in apps and that is also helpfully visible with overwrite.cli.url.
So no, I don't think we need to handle them all the same way.

@isdnfan
Copy link
Author

isdnfan commented Jan 9, 2024

I'm sorry I have to disagree. Eeach piece of information removed from the config makes it harder to troubleshoot but current implementation when trusted_proxies is sensitive and trusted_domains + overwritehost not sensitive makes no sense. the opposite is true.

I think this topic definitely requires broader view. there is valid requirement to understand the config from the system report and at the same time users don't want to publish their system data in public places like forum and Github. maybe there some good way to anonymize the data without loosing connections of different settings e.g. replace only a part of the setting e.g. the domain part of the FQDN - replacing cloud.nextcloud.com with cloud.<HIDDEN>.com keeps enough details for troubleshooting but improves privacy. same could be done for internal hostnames and IPs - replacing 3-5 characters of the string for every possible config e.g. redis host db host, imaginary URL.

@rakekniven
Copy link
Member

Well the bug reports we received where dbhost, dbname, mail_smtphost and redis host where the root cause are single digit. trusted_domains and overwrite.cli.url are quite regularly the root cause (multiple times per month) because people change their domain, misconfigure a proxy or other things. Also quite regularly sub-paths cause issues in apps and that is also helpfully visible with overwrite.cli.url.

@nickvergessen I think there is one big difference. The bug reports you (the company) receive are not public.
The reports we (the forum) receive are publicly visible.

@isdnfan
Copy link
Author

isdnfan commented May 27, 2024

hopefully to be addressed with #45085

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 28-feedback bug feature: occ privacy
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants