File access control rules not enforced on image files

1. Installed Nextcloud from Snap package (version 13.0.2snap1, revision 6916) on fresh Ubuntu 18.04 LTS install. 2. Installed and enabled Files access control (v1.3.0) and Files automated tagging (v1.3.0) apps. 3. As an administrator created an invisible collaborative tag `Secret`. 4. Added Files automated tagging rule to add the `Secret` tag for all files with user membership of `admin` group. 5. Added Files access control rule restricting the access for all files with the `Secret` tag and user who is not a member of `admin` group. 6. Created unprivileged user `user`. 7. Accessed the `admin` account from WebDAV interface (in order to avoid generating automatic file previews) and created the following files/folders on the server: ``` folder: Secret_Folder folder: Secret_Folder/Secret_Subfolder file: Secret_Folder/Secret_Subfolder/Secret_Picture.jpeg file: Secret_Folder/Secret_Subfolder/Secret_Text.txt ``` 8. Shared the `Secret_Folder` from `admin` user to the unprivileged user `user` with no edit rights. 9. From client computer authorized as the unprivileged user `user` and used WebDAV search to recursively list all files with their MIME types with the following `curl` command: {F302611}. This command downloaded the list of all shared files as an xml file: {F302614}. 10. Identified an image file `Secret_Folder/Secret_Subfolder/Secret_Picture.jpeg` from the file list and accessed its contents through files preview API with the following `curl` command: ``` curl -u user 'https://test.frp.lv/index.php/apps/files/api/v1/thumbnail/1212/750/Secret_Folder/Secret_Subfolder/Secret_Picture.jpeg' -H 'Content-Type: application/x-www-form-urlencoded' > Secret_Picture.jpeg ``` ## Impact 1. The unauthorized attacker can list all files recursively for an unlimited depth, even if explicitly denied by `Files access control` rules. 2. The unauthorized attacker can view the contents of all denied image files up to their maximum resolution. It is up to the attacker to choose the required image resolution (1024 x 768 in the example) and construct corresponding `GET` query through image preview API. Note that it is not even required for the file owner to use web interface and preview the protected image files before the attack. The corresponding image preview files are generated on the server upon the request of the attacker. 3. If the file owner has logged in Nextcloud web interface and browsed the protected files, thus automatically rendering thumbnail previews, it also becomes possible for the attacker to access previews of protected text files with the following `curl` command referencing the text file from the example, choosing 4096x4096 resolution: ``` curl -u user 'https://test.frp.lv/index.php/apps/files/api/v1/thumbnail/4096/4096/Secret_Folder/Secret_Subfolder/Secret_Text.txt' -H 'Content-Type: application/x-www-form-urlencoded' > Secret_Text.png ``` The obtained preview image can contain critical information that should have been protected - see example of downloaded preview below: {F302628}