Add administrator function to disable ZIP downloads of folders

[GoetheG]

Hey everybody,

As a security precaution I find it important to have the administrator function to disable ZIP downloads of folders. The way I see it, the administrator should be also able to monitor who's using the ZIP function

I know, there are plenty of other ways to bypass this security function I mentioned. But this would at least avoid massive data theft by people with limited understanding for software.

Take a look at this discussion here: https://github.com/owncloud/core/issues/16370

Keep up with the good work, guys!

Yours

Phillip

[c0fe]

It seems like a good idea at first but then again it will do very little to stop someone with intentions to steal the information. Considering that the user would have access to simply sync this with one of their hard drives especially an external one so that they can move this out.

The idea of adding the security and some sort of measures to prevent data theft would need to be thought further and we would have to check with what options exist on a range of operating systems.

[MorrisJobke]

I know, there are plenty of other ways to bypass this security function I mentioned. But this would at least avoid massive data theft by people with limited understanding for software.

Security by obscurity does very rarely work. If this is your only concern, then hide the button via CSS. Because there are people out there that are able to script the one file by another approach to fetch the shared (!!!) files anyways. So this does not add any security layer at all.

Beside the other ideas: I would rather ask to implement this as an app, that hooks into the sharing page and manipulates it to not allow the download via ZIP file if wanted. It can also hook into the sharing dialog to ask for this permission.

Thus I will close this in the server repo as we will not add it to the server directly but it should be implemented as app. If you need help with implementing it we are happy to assist.

[GoetheG]

I think it is important to have this option. Because there are always people I cannot trust and I want to be able to deactivate this option for registered users (not for file sharing).

Is there another option with a script or with some other setting?

[MorrisJobke]

I think it is important to have this option. Because there are always people I cannot trust and I want to be able to deactivate this option for registered users (not for file sharing).

Just as a little side note: this is then only hiding it. Because people could share the folder and download then as zip file 🙈

[GoetheG]

@MorrisJobke I know, and you are absolutely right. But it’s the same with website security. You cannot build a totaly secure website. But you can make it damn hard for the user to gain access.

For non profit organisations and also for businesses it’s vital to have secure access to data. I still think that’s crucial to have the option to completely deactivate ZIP downlods. The administrator should have this option. I mean, it’s possible to forbid users to use the desktop client via the file access control app. Why does this ZIP thing seem to be that big of an issue? I don’t understand that.

I work at an university and the guys there do also have precautions to prevent data loss. They do not want that working students may download stuff they shouldn’t. Just an example.

[MorrisJobke]

As this sounds like a nice feature, the requests for this are quite low. Currently there a no plans to implement such a feature. Thus I will keep this ticket closed for now. This does not mean we don't want this feature, but it is simply not on our roadmap for the near future. If somebody wants to implement this feature nevertheless we are happy to assist and help out. Best would be to implement this inside an app and disable the button via this.

If you wish to have this feature implemented by the Nextcloud GmbH there is the option for consulting work on top of your Nextcloud Enterprise subscription to get your features implemented.

[GoetheG]

Hi @MorrisJobke. Thank you for your explanation. I absolutely understand that you cannot implement everything we ask for here. Fair enough. Is there maybe any chance that we kickoff something with little money? Maybe there is somebody who could implement that.

As a charity we cannot pay thousands of Euros. Unfortunately. So if there is some program where we could ask for that, please tell.

[MorrisJobke]

Hi @MorrisJobke. Thank you for your explanation. I absolutely understand that you cannot implement everything we ask for here. Fair enough. Is there maybe any chance that we kickoff something with little money? Maybe there is somebody who could implement that.

As a charity we cannot pay thousands of Euros. Unfortunately. So if there is some program where we could ask for that, please tell.

There is a section in the forums at https://help.nextcloud.com which is for exactly those requests. Maybe put it in there?

[landryb]

Fwiw, i had a similar need, ie disabling/neuteuring the "download" feature which might impact server workload generating huge zips with dozens of files, summing gigabytes of data - i want to push those users to use webdav clients that download files by files.

I'm no javascript nor php expert, and i dont know really well the NC architecture, but i identified 3 places, and 3 distinct ways to set a "limit" so that users wont hammer the server generating zips :

• the 'actions' menu at the top of the filelist has a 'download' item, which targets the selected files in the current file list. For this i check that the selected files list contains a dir or several files, and if the total size is above the threshold (hardcoded to 20Mb for the example), i alert the user that the action is disabled:

  
  --- a/apps/files/js/filelist.js
  +++ b/apps/files/js/filelist.js
  @@ -874,7 +874,16 @@
                      else {
                              files = _.pluck(this.getSelectedFiles(), 'name');
                      }

• sizes = _.pluck(this.getSelectedFiles(), 'size');

• const reducer = (accumulator, currentValue) => accumulator + currentValue;

• var size = sizes.reduce(reducer);

• // file bigger than threshold, and not a single file

• if (size > 2010241024 && !(files.length == 1 && this.getSelectedFiles()[0].type == 'file')) {

• alert("dowload size " + Math.round(size/(1024*1024)) + "MB for multiple files too big, use winscp")

• return false;

• }

• console.log("allowed download size:" + size) // don't allow a second click on the download action if(this.fileMultiSelectMenu.isDisabled('download')) { return false;

* the '3 dots' menu on the right side of a file/dir has a 'download' item too, targeting the current file/dir - here i only prevent the download if it's a dir and its size is larger than the threshold:

+++ b/apps/files/js/fileactions.js @@ -601,6 +601,10 @@

                                    var downloadFileaction = $(context.$file).find('.fileactions .action-download');

• if (isDir && context.$file.attr('data-size') >= 2010241024) {
• alert("dowload size " + Math.round(context.$file.attr('data-size')/(1024*1024)) + "MB for a directory too big, use winscp");
• return;
• } // don't allow a second click on the download action if(downloadFileaction.hasClass('disabled')) { return;

* and finally, when a dir is publicly shared, i dont want the "download all files" item at the right top, so i only add items to the menu if the size is below the limit. In that case, there's no user feedback.. `alert()` in js is ugly anyway :(

--- a/apps/files_sharing/lib/Controller/ShareController.php +++ b/apps/files_sharing/lib/Controller/ShareController.php @@ -456,12 +456,14 @@ class ShareController extends AuthPublicShareController { if ($isNoneFileDropFolder && !$share->getHideDownload()) { \OCP\Util::addScript('files_sharing', 'public_note'); if ($shareIsFolder) {

• if ($shareTmpl['nonHumanFileSize'] <= 20000000) { $response->setHeaderActions([ new SimpleMenuAction('download', $this->l10n->t('Download all files'), 'icon-download-white', $shareTmpl['downloadURL'], 0), new SimpleMenuAction('download', $this->l10n->t('Download all files'), 'icon-download', $shareTmpl['downloadURL'], 10, $shareTmpl['fileSize']), new LinkMenuAction($this->l10n->t('Direct link'), 'icon-public', $shareTmpl['previewURL']), new ExternalShareMenuAction($this->l10n->t('Add to your Nextcloud'), 'icon-external', $shareTmpl['owner'], $shareTmpl['displayName'], $shareTmpl['filename']), ]);
• }

The 3 snippets are against `stable15` git branch, and i've lightly tested them - maybe there are more spots allowing to call `ajax/download.php` but those were the most visible ones i found.

This is of course hacks, and definitely not something worth of a pull request, but if it can be useful to someone to properly integrate it in NC (i really dont see how this could be integrated as a proper app; but i really dont know nextcloud code nor have the time to dig into it...), or to use it on its own instance, that's good :)

[Nottt]

It would be nice to be able to disable this...not because of security...but because of speed/performance.

It is faster to let the client do 10 simultaneous downloads than zipping a folder and delivering in 1 download

[insanemal]

I'm just putting this out there but I use my owncloud to move multiple, multi-gb video files around.

The download all button always ends up eating everything..

Please let us disable it.

[mackonsti]

Hello everyone, apologies to revive this old ticket, I have a couple of questions:

a) is this feature eventually implemented? The ticket was opened 2+ years ago, and I cannot see an option on NextCloud server 22.2.3 etc.

b) do you know where is stored (i.e. the path of) the temp folder where ZIPs are created before being downloaded to the (remote) user? Would a server reboot clean up these? I am using a rather small boot/system partition (OpenMediaVault 5.x) and I am afraid this zipping action would just fill up the remaining GBs of space used by the system itself...

Thank you all.

[insanemal]

Why is this closed? This feature is broken. This isn't a "Nice to have". This is a joke.

If you use download ZIP on large downloads it just fails. Scribbles crap everywhere and fails. There NEEDS to be an option to disable it.

[landryb]

note for the ppl interested in this 'feature' (see commits above in my own branch, eg https://github.com/nextcloud/server/compare/stable28...landryb:server:stable28+download_limit), upgrading my current install from 23 to 28, i've figured out that there are new different places to modify:

• when the user is connected , apps/files/src/actions/downloadAction.ts needs to be modified now to prevent large downloads (this has the benefit of being able to use toasts from nextcloud/dialogs), this wasnt the case in 23. probably because of the migration to vue
• when a public share is done, the 'legacy' codepaths in apps/files/js/fileactions.js & apps/files/js/filelist.js are used to prevent large downloads
• apps/files_sharing/lib/DefaultPublicShareTemplateProvider.php needs to be modified to avoid showing the download all files in a public share if the volume is above a threshold