Sharing links can be protected with a password. However, the function used for generating this password is using cryptographically insecure RNG.
server-25.0.0\apps\files_sharing\src\utils\GeneratePassword.js
(lines 36-55):
export default async function() {
// password policy is enabled, let's request a pass
if (config.passwordPolicy.api && config.passwordPolicy.api.generate) {
try {
const request = await axios.get(config.passwordPolicy.api.generate)
if (request.data.ocs.data.password) {
return request.data.ocs.data.password
}
} catch (error) {
console.info('Error generating password from password_policy', error)
}
}
// generate password of 10 length based on passwordSet
return Array(10).fill(0)
.reduce((prev, curr) => {
prev += passwordSet.charAt(Math.floor(Math.random() * passwordSet.length))
return prev
}, '')
}
The first part of the function handles the password generation in a safe way when a password policy is present. However, there is another variant generating the password using Math.random
function, which is not appropriate for use in a security-sensitive context.
Citation from MDN Web Docs:
“Note: Math.random() does not provide cryptographically secure random numbers. Do not use them for anything related to security. Use the Web Crypto API instead, and more precisely the window.crypto.getRandomValues() method.”
An attacker might be able to access the shared files even without knowledge of the password.