We want to use File-Drops so citizens can send us files, but I am concerned about possible abuse with this being public-facing. I’ll outline both of my concerns and would appreciate pointers as to which systems I can use to prevent them.
Malicious actor uploads loads of junk files to our link.
To stop the server from overcrowding storage quota can help, as well as auto-deletion of old files can prevent the server from refusing further genuine uploads. But critically I do not see an automatic way to stop the uploading itself, maybe it’s possibly to put limits on each IP’s upload capacity in a given timeframe?
A password would quickly lose effectiveness as we’d have to give it out readily to citizens, maybe a rolling password that changes every week, but idk how to accomplish that, but that would worsen the system’s usability significantly.
Malicious actor sends unsafe data
Any file would be double- or triple-checked for malware and such, but detecting other illegal or unsafe content may be difficult, I don’t think Recognize can handle detection of NSFW images and videos for example.
If anyone has ever set-up such a content-moderation system, I’d love to hear how you did it.
I think this happens far less often than you imagine. If you use the new “request files” function of Nextcloud 30, all files of a person or a browser (cookie) are loaded into a separate folder. This makes it clearer and you can sort the folders by size and date to recognise misuse more quickly.
Request files
Need to collect files in a secure way from one or more users? Meet File Request, a feature that lets you request files with configurable security settings and tracking features. […]
I was not aware of that new feature, that sounds a lot better than the previous file-drop links, being organised and all. As for prevelance, I’d like to be on the safe side when opening parts of our storage to the internet, as well as in the interest of protecting our workers, but you’re right that this isn’t a big deal and if it does end up not being possible it won’t be a problem.
I think if you use a separate user with a quota or maybe even a separate Nextcloud, this should also be possible. Are employees allowed to create shares via the internet for uploading? Then you practically have the same problem.
In case a Nextcloud programmer is reading along. An increase in security could possibly be achieved via a whitelist with permitted HTTP_REFERER. Then you could initiate the upload via a separate page e.g. on your homepage after a pseudo-registration with e-mail. The HTTP_REFERER can of course also be manipulated.
I’m mainly thinking about the more permanent shares that we’ll set up for specific public services, as those links are publicly available and thus can be subject to jouvenile pranks and other such shenanigans.
Using File-Request on a seperate user with their own quota sounds safe enough, although forcing the uploader to provide an e-mail would be great, so we can more easily link people to their uploads. I’ll look into the seperate page with the referer, but that’s likely beyond our scope since we have no web-developers.
Nextcloud apps for HTTP_REFERER does not exist. Maybe the Nextcloud app Guests is an alternative. Then the user must register with e-mail an password (video). But i think there are anonymous registration and uploads not possible. I think you need first the e-mails of the users. So it probably doesn’t solve your problem.
I was thinking of suggestion something similar. That you can ask a download link and it sends it per mail, so you can associate a mail address (unless in certain cases, you don’t want to do that). (and in the end you could even send a confirmation which file was uploaded, together with a checksum)
I went a bit through the apps, I thought it should be possible to use the workflow that you can enforce certain file types and file sizes, so you reduce misuse.
I used different browsers in private mode, and everything ends up in the same folder. Not sure, if I missed some configuration option.