Text app and Android Direct Editing permit creating data unencrypted within encrypted folders

[cyphunk]

I have the text app enabled. I create a new text file ("enc.md") within an encrypted folder. When I edit this file the data shows up in plain text on the server. I'm reporting this issue here rather than in the "text" app because the e2e encryption system should not permit storing of unencrypted data in encrypted folders, or should not allow apps to store data in them, or should at least note which files are actually encrypted

Steps to reproduce

• on android nextcloud app (3.10.1)
  • create new folder "Encrypted"
  • in files view change folder properties to encrypted
  • open Encrypted folder
  • press "+" and choose to create new text document "enc.md"
  • add some text to document
  • close document
• on server: cat data/user/files/Encrypted/enc.md
  • observe that plaintext data is shown

Expected behaviour

Any data stored in encrypted folder should appear encrypted on the server hard disk

Actual behaviour

cat data/_user_/files/Encrypted/enc.md shows plaintext data

Server configuration

Operating system: ubuntu 18.04

Web server: nginx 1.14.0-0ubuntu1.7

Database: whatever is in the docker hub nextcloud:18.0.2-fpm-alpine

PHP version: whatever is in the docker hub nextcloud:18.0.2-fpm-alpine

Nextcloud version: docker hub nextcloud:18.0.2-fpm-alpine

Updated from an older Nextcloud/ownCloud or fresh install: fresh

Where did you install Nextcloud from: docker hub nextcloud:18.0.2-fpm-alpine

Android app version: 3.10.1

[georgehrke]

@juliushaertl

[georgehrke]

@cyphunk Can you please use the issue template: https://github.com/nextcloud/server/blob/master/.github/ISSUE_TEMPLATE/Bug_report.md

open Encrypted folder

This step should not be possible. You should not be able to open encrypted folders in the web ui.

[cyphunk]

will correct to this format. BTW, it wasn't accessible in webui. that still remained true. enc.md file in encrypted folder was only accessible in android app. still, data on server stored unencrypted

[georgehrke]

What version of the Android app are you using?

[cyphunk]

3.10.1

[juliusknorr]

There seem to be actually two issues here:

• The text app should just not work with e2ee
• The mobile apps should not allow direct editing and creating files inside of e2ee folders

cc @tobiasKaminsky @marinofaggiana

[cyphunk]

hmm. can I submit this as a bug bounty? :)

[georgehrke]

• The text app should just not work with e2ee

@juliushaertl Any update here? :)

[juliusknorr]

@georgehrke Do you have any idea how i could check if a file or the parent folder is encrypted with e2e but not with SSE (since there the encrypted flag in the filecache would also be set)

[juliusknorr]

I didn't check in detail yet, but I would expect this could also cause issues when SSE and E2E are used in parallel:
https://github.com/nextcloud/end_to_end_encryption/blob/64d372ae558b894f667a280fb4e35343f760de3e/lib/EncryptionManager.php#L100

[joshtrichards]

• Android client was fixed in Limit online editing/streaming when e2e android#5798 long ago

• Irrelevant on the desktop client

• iOS has similar implementation as Android here so good: https://github.com/nextcloud/ios/blame/2a9b9d80eeef6d3d564b4e0dc07f744b0d88a718/iOSClient/Menu/AppDelegate%2BMenu.swift#L61

• Text app - don't see it, but if anything is still needed really seems like this should be a Files enforced thing (e.g. Ommit showing E2EE files/folders in webUI server#41558). I think it was like this for a time, but may have been reverted a bit... Maybe by Allow interaction with encrypted folders server#36223. I guess some extra checks in case a client tries to do something weird in direct mode could make sense as a second layer of protection too.

[ph00lt0]

You are completely addressing this in the wrong way @joshtrichards. I really have to comment this. Not because I believe it will help now. But you really need better architects and management at Nextcloud.

This is yet another security flaw in e2ee offering of Nextcloud. A folder designated for e2ee files should never allow to store anything but e2ee encrypted files thus should only allow writes and reads via an service for this. It should by design not be possible to write or read from this folder in a different way.
This issue would probably have never occurred when propper sanitization was taking place in apps and it's apis were tested with unit tests.