Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Whitelist nextcloud resharing scanning readme with PROPFIND #1221

Merged
merged 2 commits into from
Feb 3, 2025
+5 −0
Merged

Whitelist nextcloud resharing scanning readme with PROPFIND #1221

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7a35db0
Add resharing whiteliste expression
Glandos Jan 19, 2025
9984613
Explain resharing issue
Glandos Jan 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.md
View file
Original file line number Diff line number Diff line change
@@ -30,6 +30,10 @@ exist. Then the file is created. Uploading more than 10 files at a time will tri

When syncing large amount of files via WebDAV, it could trigger http-probing so the expression also whitelists 200 response codes.

---
### Reshares via federation
When shared files via federation are reshared, the federated instance can scan each directory to find `readme.md` file with a `PROPFIND`, even if it doesn't exist.

---
### Trashbin
Whilst browsing deleted files in the trashbin, a 404 error is thrown when a file has no preview thumbnail. This can trigger http-probing.
1 change: 1 addition & 0 deletions parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml
View file
Original file line number Diff line number Diff line change
@@ -9,6 +9,7 @@ whitelist:
- evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/photos/api/v1/preview' && evt.Parsed.http_args contains 'x' && evt.Parsed.http_args contains 'y' #Photo app loads all previews as small panes, but can 404
- evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Parsed.request contains '/core/preview' && evt.Parsed.http_args contains 'x=' && evt.Parsed.http_args contains 'y=' && evt.Parsed.http_args contains 'fileId=' #File preview often 404s while searching
- evt.Meta.http_status in ['404', '200'] && evt.Meta.http_verb in ['PROPFIND', 'GET'] && evt.Meta.http_path matches '^/remote.php/(web)?dav/' #Uploading new files via WebDAV always produces a 404
- evt.Meta.http_status == '404' && evt.Meta.http_verb == 'PROPFIND' && evt.Parsed.file_dir startsWith '/public.php/webdav/' && lower(evt.Parsed.file_name) in ['readme.md', 'lisez%20moi.md'] # Resharing scans for readme to check existence
- evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path matches '/apps/mail/api/avatars/(url|image)/' #When loading mail contacts the avatars may get 404
- evt.Meta.http_status == '200' && evt.Parsed.static_ressource == 'false' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/photos/api/v1/preview' && evt.Parsed.http_args contains '&x=' && evt.Parsed.http_args contains '&y=' && evt.Parsed.http_args contains 'etag=' #When loading multiple images inside Nextcloud Photos, HTTP Crawl non statics is triggered since the images look like dynamic assets.
- evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Parsed.request == '/ocs/v2.php/apps/text/workspace' && evt.Parsed.http_args contains 'path=%2F' #When opening folders in Nextcloud Files that don't contain a readme.md 404 error is thrown