From e8d8c9e30fd7ca2666b31674f3a20e9de6168724 Mon Sep 17 00:00:00 2001 From: "Sebastian L." Date: Wed, 28 Aug 2024 07:43:18 +0200 Subject: [PATCH] Fix for https://github.com/crowdsecurity/hub/issues/1102 --- parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.md | 2 ++ parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml | 1 + 2 files changed, 3 insertions(+) diff --git a/parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.md b/parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.md index 4a98be19127..7d19254ad48 100644 --- a/parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.md +++ b/parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.md @@ -23,6 +23,8 @@ When previews are missing for files in the trash bin, a 404 error is returned wh In rare cases HTTP Probing will be triggered when opening multiple folders quickly, Nextcloud checks for a ``readme.md`` file and if it doesn't exist a 404 error is thrown. +Auto uploading files (synchronizing and checking for existing files) from mobile clients authenticated with app token returns 403 on '/remote.php/dav/files/FILENAME' when checking for existing files. + --- ### Creating files via WebDAV When uploading files via WebDAV, a PROPFIND request is sent to the server, which returns 404 if the file does not diff --git a/parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml b/parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml index 8014e9ec29c..cc4ee575c20 100644 --- a/parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml +++ b/parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml @@ -16,3 +16,4 @@ whitelist: - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path matches '\\/apps\\/files\\/api\\/v1\\/thumbnail\\/(\\d+)/(\\d+)' - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/bookmarks/bookmark' && (evt.Meta.http_path endsWith 'favicon' || evt.Meta.http_path endsWith 'image') #When loading NC bookmarks: some entries might have no favicon or no image - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/bookmarks/folder' && evt.Meta.http_path endsWith 'publictoken' #When loading NC bookmarks: private folders have no publictoken + - evt.Meta.http_status in [ '403', '404' ] && evt.Meta.http_verb in [ 'HEAD', 'GET' ] && evt.Meta.http_path startsWith '/remote.php/dav/files' #Auto uploading files (synchronizing, checking for existing files) from mobile nextcloud clients authenticated with app token