[Bug]: generate system report doesn't remove all sensitive values

[isdnfan]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

when looking for support and admin is expected to run https://cloud.tld/settings/admin/support > [Generate system report]. This report lists different settings and installed apps. It also replace sensitive values like passwords with predefined string "REMOVED SENSITIVE VALUE".

In NC27 and NC28 (likely all versions) some sensitive value remain unchanged. This are:

• overwritehost
• overwrite.cli.url
• trusted_domains
• serverinfo > token ( used to access system metrics without user )
• preview_imaginary_url
• TURN servers (maybe STUN as well - not used in my installation)

Steps to reproduce

1. access https://cloud.tld/settings/admin/support
2. click on [Generate system report]
3. review the report

comand tool occ config:list system has the same flow.

Expected behavior

please include the mentioned values into the replacement mechanism to avoid leak of sensitive data.

Installation method

Community Docker image

Nextcloud Server version

28

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 22 to 23)

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***MANUALLY REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "27.1.4.1",
        "overwrite.cli.url": "***MANUALLY REMOVED SENSITIVE VALUE***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "htaccess.RewriteBase": "\/",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "overwritehost": "***MANUALLY REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "loglevel": 1,
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "ssl",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "PLAIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "app_install_overwrite": [
            "joplin",
            "twofactor_webauthn",
            "twofactor_admin",
            "groupfolders",
            "impersonate",
            "sharelisting"
        ],
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "theme": "",
        "default_phone_region": "CH",
        "allow_local_remote_servers": true,
        "serverinfo": {
            "token": "***MANUALLY REMOVED SENSITIVE VALUE***"
        },
        "session_keepalive": "true",
        "memories.exiftool": "\/var\/www\/html\/custom_apps\/memories\/bin-ext\/exiftool-amd64-glibc",
        "preview_max_x": "1400",
        "preview_max_y": "800",
        "preview_max_scale_factor": "1",
        "jpeg_quality": "60",
        "memories.vod.path": "\/var\/www\/html\/custom_apps\/memories\/bin-ext\/go-vod-amd64",
        "enabledPreviewProviders": [
            "OC\\Preview\\MP3",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\OpenDocument",
            "OC\\Preview\\Krita",
            "OC\\Preview\\Imaginary"
        ],
        "preview_concurrency_all": "12",
        "preview_concurrency_new": "8",
        "preview_imaginary_url": "***MANUALLY REMOVED SENSITIVE VALUE***",
        "log_rotate_size": 52428800
    }
}

List of activated Apps

Enabled:
  - activity: 2.19.0
  - admin_audit: 1.17.0
  - bookmarks: 13.1.1
  - bruteforcesettings: 2.7.0
  - calendar: 4.6.0
  - cfg_share_links: 4.2.0
  - cloud_federation_api: 1.10.0
  - comments: 1.17.0
  - contacts: 5.4.2
  - contactsinteraction: 1.8.0
  - dav: 1.27.0
  - federatedfilesharing: 1.17.0
  - federation: 1.17.0
  - files: 1.22.0
  - files_accesscontrol: 1.17.1
  - files_pdfviewer: 2.8.0
  - files_reminders: 1.0.0
  - files_rightclick: 1.6.0
  - files_sharing: 1.19.0
  - files_trashbin: 1.17.0
  - files_versions: 1.20.0
  - forms: 3.4.2
  - groupfolders: 15.3.1
  - impersonate: 1.14.0
  - logreader: 2.12.0
  - lookup_server_connector: 1.15.0
  - mail: 3.4.6
  - maps: 1.1.1
  - memories: 6.1.5
  - notifications: 2.15.0
  - notify_push: 0.6.5
  - oauth2: 1.15.1
  - password_policy: 1.17.0
  - photos: 2.3.0
  - polls: 5.4.2
  - previewgenerator: 5.4.0
  - privacy: 1.11.0
  - provisioning_api: 1.17.0
  - recognize: 5.0.3
  - related_resources: 1.2.0
  - richdocuments: 8.2.3
  - serverinfo: 1.17.0
  - settings: 1.9.0
  - sharebymail: 1.17.0
  - shareimporter: 1.1.0
  - sharelisting: 1.2.0
  - snappymail: 2.30.0
  - spreed: 17.1.3
  - survey_client: 1.15.0
  - systemtags: 1.17.0
  - text: 3.8.0
  - theming: 2.2.0
  - theming_customcss: 1.15.0
  - twofactor_backupcodes: 1.16.0
  - twofactor_nextcloud_notification: 3.8.0
  - twofactor_totp: 9.0.0
  - twofactor_webauthn: 1.3.2
  - user_oidc: 1.3.5
  - user_status: 1.7.0
  - viewer: 2.1.0
  - workflowengine: 2.9.0
Disabled:
  - analytics: 4.9.4 (installed 4.9.4)
  - circles: 27.0.1 (installed 0.19.11)
  - dashboard: 7.7.0 (installed 7.3.0)
  - encryption: 2.15.0
  - files_external: 1.19.0 (installed 1.16.1)
  - firstrunwizard: 2.16.0 (installed 2.10.0)
  - nextcloud_announcements: 1.16.0 (installed 1.12.0)
  - notes: 4.8.0 (installed 4.8.0)
  - recommendations: 1.6.0 (installed 1.1.0)
  - support: 1.10.0 (installed 1.5.0)
  - suspicious_login: 5.0.0 (installed 5.0.0)
  - tasks: 0.15.0 (installed 0.15.0)
  - twofactor_admin: 4.1.9 (installed 4.1.9)
  - updatenotification: 1.17.0 (installed 1.13.0)
  - user_ldap: 1.17.0
  - weather_status: 1.7.0 (installed 1.1.0)

Nextcloud Signing status

No response

Nextcloud Logs

N/A

Additional info

No response

[nickvergessen]

For the record, we don't consider domains sensitive values and in fact the overwrite.cli.url, turn server and others are often helpful to indicate or the actual cause of bugs in apps or configurations.

The serverinfo token and imaginary url however should be removed.

On that note please follow our security policy next time for reports like this https://github.com/nextcloud/server/blob/master/SECURITY.md and report at https://hackerone.com/nextcloud

[isdnfan]

Thank you for your comment, in case I would report it via security procedure in the future - I was under impression this is not really sensitive as the issue itself exists for long time already.

Definitely domains, IPs and hostnames are less sensitive than passwords. But all kind of information should be treated the same. I don't see any good reason why dbhost, dbname, mail_smtphost and redis host are "sensitive" and trusted_domains and overwrite* are not..

From my experience in help.nextcloud.com forum people tend to mask this data - I think implementing this by default would be "expected".

[nickvergessen]

But all kind of information should be treated the same. I don't see any good reason why dbhost, dbname, mail_smtphost and redis host are "sensitive" and trusted_domains and overwrite* are not..

Well the bug reports we received where dbhost, dbname, mail_smtphost and redis host where the root cause are single digit. trusted_domains and overwrite.cli.url are quite regularly the root cause (multiple times per month) because people change their domain, misconfigure a proxy or other things. Also quite regularly sub-paths cause issues in apps and that is also helpfully visible with overwrite.cli.url.
So no, I don't think we need to handle them all the same way.

[isdnfan]

I'm sorry I have to disagree. Eeach piece of information removed from the config makes it harder to troubleshoot but current implementation when trusted_proxies is sensitive and trusted_domains + overwritehost not sensitive makes no sense. the opposite is true.

I think this topic definitely requires broader view. there is valid requirement to understand the config from the system report and at the same time users don't want to publish their system data in public places like forum and Github. maybe there some good way to anonymize the data without loosing connections of different settings e.g. replace only a part of the setting e.g. the domain part of the FQDN - replacing cloud.nextcloud.com with cloud.<HIDDEN>.com keeps enough details for troubleshooting but improves privacy. same could be done for internal hostnames and IPs - replacing 3-5 characters of the string for every possible config e.g. redis host db host, imaginary URL.

[rakekniven]

Well the bug reports we received where dbhost, dbname, mail_smtphost and redis host where the root cause are single digit. trusted_domains and overwrite.cli.url are quite regularly the root cause (multiple times per month) because people change their domain, misconfigure a proxy or other things. Also quite regularly sub-paths cause issues in apps and that is also helpfully visible with overwrite.cli.url.

@nickvergessen I think there is one big difference. The bug reports you (the company) receive are not public.
The reports we (the forum) receive are publicly visible.

[isdnfan]

hopefully to be addressed with #45085