bookmarks icon indicating copy to clipboard operation
bookmarks copied to clipboard
verified publisher icon nextcloud

Broken-link finder: false positives and privacy leak

Open yuv opened this issue 3 years ago • 3 comments

Describe the bug

Broken-link finder "feature" is a privacy-leak, and also reports false positives when the bookmarked page is behind bot-protection.

To Reproduce

  1. Create a bookmark to a bot-protected page (e.g. DHL packet tracking) or to a server under your control
  2. Wait for the valid DHL bookmark to be wrongfully declared broken
  3. Watch for your server's log for the leak and imagine how that information could be used, especially if the server is a private instance

Expected behavior

  • There should be a binary flag setting to check for broken-links.
  • Default: do not check (false)
  • Ideally. there are three flags, at three levels: instance/admin, user, bookmark
  • Logic: only trigger broken-link checking if all three are set to true
  • The same logic should control any other server-side bookmark-enrichment: no server-side fetching of external resources/URL without explicit permission. This should be a fundamental rule for the whole of Nextcloud. I have not checked, but probably there are tons of places where the server leaks information about its existence.

Development/prioritization: if there are not enough resources to implement the full logic, highest priority should be given to instance/admin level (start plugging the privacy leak when an admin wants to keep the server's existence private); and if there are not enough resources to implement a front-end switch, make it a manual config file edit and document it (probably worth doing as a first quick fix).

Server (please complete the following information):

  • Nextcloud version: 23.0.6
  • Bookmarks app version: 10.5.1

yuv avatar Jun 24 '22 21:06 yuv

There is an admin setting that is disabled by default and can be enabled to allow network access.

marcelklehr avatar Jun 25 '22 11:06 marcelklehr

Thanks for the comment. I have admin privilege and I cannot find the admin setting. Can you describe where that admin setting is, starting from the Dashboard webpage? I am also pretty sure that I never touched that admin setting (not knowing where it is), yet at https://IP.AD.R.ESS/apps/bookmarks/ the server indicates that some links are broken. They are not.

yuv avatar Jun 27 '22 03:06 yuv

You can go from any page on nextcloud on the top right to Settings -> then in the list on the left to Bookmarks -> on the top of the screen is the privacy setting

marcelklehr avatar Jun 29 '22 18:06 marcelklehr

The LinkExplorer uses a default value of true for enableScraping: https://github.com/nextcloud/bookmarks/blob/master/lib/Service/LinkExplorer.php#L36 Other components, e.g., the CrawlJob, use the (correct) default of false.

Diff-fusion avatar Oct 10 '22 12:10 Diff-fusion

Thank you @Diff-fusion I'll fix this immediately.

marcelklehr avatar Oct 10 '22 12:10 marcelklehr