Finding where dead links used to point?

Highview-Lucas · May 16, 2023, 5:13am

Hi There!

We’ve had nextcloud in our organisation for a few years now, and over time link to “folders in the cloud” have wound up in process documentation.

We’ve recently had an incident where an outgoing staff member has provided “everything you need” to an incoming staff member, in the form of a link to something ion our nextcloud server.

However, the link no longer works. If I can, I’d like to be able to work out what the link should have been / used to point to, and if needed, recover it from a backup or whatever needs to be done.

all i have is a link to https://our.nextc.oud.server/s/ZqWMJwWHRCmQitA - is there some way to find what that used to link to?

devnull · May 16, 2023, 6:00am

I think the easiest way is to search in the database dumps from your Nextcloud backups. You must not recover the database. Only read the datase with a text editor or use grep.

There you can find something like this if you search your share ZqWMJwWHRCmQitA. And in the additional file backup from this date you find the content of the original folder or file.

LOCK TABLES oc_share WRITE;
/*!40000 ALTER TABLE oc_share DISABLE KEYS /;
INSERT INTO oc_share VALUES
…
(13,3,NULL,NULL,‘username’,‘username’,NULL,‘folder’,‘6096’,NULL,6096,‘/Path/to/Folder’,17,1684216466,0,NULL,‘ZqWMJwWHRCmQitA’,0,NULL,0,NULL,0,‘’,NULL,NULL);
…
/!40000 ALTER TABLE oc_share ENABLE KEYS */;
UNLOCK TABLES;

In the future maybe you can better use named shares e.g. with the App ShareRenamer or Configurable Share Links.

ernolf · May 16, 2023, 11:23pm

I wrote a script for such routines (share analysis). It’s written for MySQL databases, so it doesn’t work with PostgreSQL and SQLite. So if your installation corresponds to that, you could try this steps to search your database for the old track:

Download the script and make it executable:

sudo wget -qO /usr/local/bin/nc-shares https://global-social.net/script/nc-shares
sudo chmod +x /usr/local/bin/nc-shares

You can call the help with -h or –help.

But to come to the point, you can search for your share token and to what it once belonged with this command:

sudo nc-shares all | grep -B 6 -A 1 ZqWMJwWHRCmQitA

It may well take a while before it shows the result because it has to work through some heavy database queries.

Much luck

Highview-Lucas · May 17, 2023, 1:33am

Awesome, I’ll give these a whirl shortly!

devnull · May 17, 2023, 5:58am

@ernolf
Cooles Script. Nachteil ist nur, dass die Daten innerhalb der Datenbank vorliegen müssen.

@Highview-Lucas
Innerhalb des Datenbank-Dumps (also direkt aus dem Backup) kannst du z. B. nach allen 15-stelligen alphanumerischen Werten suchen. Das sollten bis auf seltene Ausnahmen (15-stellige Datei- und Verzeichnisnamen) alle Freigaben sein.

grep -E '[[:alnum:]]{15}' backup.sql |cut -d "," -f5,8,12,17
‘username’,‘folder’,‘/Path/to/Folder’,‘ZqWMJwWHRCmQitA’

ernolf · May 17, 2023, 10:00am

Ja. das liegt ganz einfach daran, dass mir dieser Usecase bisher noch nicht vorlag.

Ich versuche es mal dahingehend zu erweitern, dass es wahlweise direkt aus einer beliebigen sql.dump-Datei auslesen kann. Es wird aber wesentlich langsamer sein, aber in solchen fast schon “forensischen Fällen” macht das nichts aus
Wie ich es machen muss ist mir schon klar, ich muss das einfach erst mal ausprobieren.

devnull · May 17, 2023, 10:42am

@ernolf
Others and me are already looking forward to it.

@Highview-Lucas
Sorry i wrote in german and not in english. Here the english version:

Within the database dump (i.e. directly from the backup), you can search for all 15-digit alphanumeric values, for example. This should be all shares except for rare exceptions (15-digit file and directory names).

grep -E '[[:alnum:]]{15}' backup.sql |cut -d "," -f5,8,12,17
‘username’,‘folder’,‘/Path/to/Folder’,‘ZqWMJwWHRCmQitA’