Enumeration of email adresses is possible

[tbsbdr]

Describe the bug

A clear and concise description of what the bug is.

Steps to reproduce

1. open share panel and type "alb"
2. email adress of albert is exposed
3. Enumeration of email adresses is possible

Expected behavior

email adresses of users can not be enumerated

• remove email adress so that it complies with GDPR (remove from get user and search using graphapi)
• show username (eg. alb.einstein) next to display name so that users can be identified uniquely

Actual behavior

• Enumeration of email adresses is possible

relates to
https://github.com/owncloud/enterprise/issues/6516

Implementation detail

• fix for OCS and graph

[kulmann]

Needs backend enhancement. Ocis should send a configurable attribute in the "additionalAttributes" sharee field. Actually no code change in web needed.

[JammingBen]

Needs backend enhancement. Ocis should send a configurable attribute in the "additionalAttributes" sharee field. Actually no code change in web needed.

This is true for the OCS API, with sharing NG we need to adjust some things though. There is no such thing as additionalAttributes anymore, we go for a user's email directly instead (which we need to change now).

@tbsbdr Any objections moving this issue to the oCIS repo? This is just a tiny change for Web, but a bit more work on the server side. IMO it fits there.

[kulmann]

Ah cool, thanks for clarifying!

[micbar]

Needs fix on ocs and backport to 5.0

[dragonchaser]

@tbsbdr should this be a configuration switch to choose whether the mail should be shown/searchable or not? I could imagine that being able to search people by e-mail could be desirable in some enterprise environments.

[tbsbdr]

Yes, agreed. Making ist configurable would ne Cherry in top. Default should be the "Safe path" - No email

[dragonchaser]

fixed in master, backport incoming

[dragonchaser]

@JammingBen is it working for you to use the additionalAttributes again?

[JammingBen]

@JammingBen is it working for you to use the additionalAttributes again?

I don't quite understand, what do you mean by "use it again"? 😅

In the OCS API, the shareWithAdditionalInfo prop just needs to replace the email with the username for Web to display it correctly. In graph I think you just mask the mail property in the response? Web then goes for the onPremisesSamAccountName instead I suppose.

[dragonchaser]

@JammingBen from your comment above I assumed you have replaced using the shareWithAdditionalInfo by an explicit call that retrieves the user emailadresse.

[JammingBen]

Ah no, but the endpoint for retrieving users to share a file with has been changed with sharing NG. Web is using graph/v1.0/users for that. And since it doesn't return shareWithAdditionalInfo, Web currently uses the mail prop (onPremisesSamAccountName in the future then).

[dragonchaser]

Ok then this needs to be adapted aswell. Thx for clarifying, will look into that on tuesday.

[dragonchaser]

@JammingBen should we do seperate backports to 5.0 or do a all-in-one including the changes to web?

[JammingBen]

Web actually doesn't need a backport since the old version only relies on the shareWithAdditionalInfo property. Meaning if this now contains the username instead of the email, Web is totally fine with it.

[dragonchaser]

Merged in Master, backport in progress, currently blocked until cs3org/reva#4609 is merged

[dragonchaser]

All backports done, just needs a new ocis release for the backports, can we close this?

[micbar]

Released with ocis 5.0.1.

[ScharfViktor]

tested on stable-5.0 branch

• by default: OCIS_SHOW_USER_EMAIL_IN_RESULTS=true that matches docs https://doc.owncloud.com/ocis/5.0/deployment/services/s-list/frontend.html - ✅

start ocis with OCIS_SHOW_USER_EMAIL_IN_RESULTS=false:

• no email in the sharees response
  GET https://localhost:9200/ocs/v2.php/apps/files_sharing/api/v1/sharees?search=mar ✅
• but recipient email is exist in the shares response
  POST https://localhost:9200/ocs/v1.php/apps/files_sharing/api/v1/shares ❌

- recipient email is exist in the Access details: ❌ - recipient's email is available using the graph endpoints ❌