nextcloud: also whitelist 200 for /apps/mail/api/avatars/url

crowdsecurity · Feb 13, 2025 · 657ea76 · 657ea76
1 parent a4564d8
commit 657ea76
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml b/parsers/s02-enrich/crowdsecurity/nextcloud-whitelist.yaml
@@ -10,7 +10,7 @@ whitelist:
    - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Parsed.request contains '/core/preview' && evt.Parsed.http_args contains 'x=' && evt.Parsed.http_args contains 'y=' && evt.Parsed.http_args contains 'fileId=' #File preview often 404s while searching
    - evt.Meta.http_status in ['404', '200'] && evt.Meta.http_verb in ['PROPFIND', 'GET'] && evt.Meta.http_path matches '^/remote.php/(web)?dav/' #Uploading new files via WebDAV always produces a 404
    - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'PROPFIND' && evt.Parsed.file_dir startsWith '/public.php/webdav/' && lower(evt.Parsed.file_name) in ['readme.md', 'lisez%20moi.md'] # Resharing scans for readme to check existence
-   - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path matches '/apps/mail/api/avatars/(url|image)/' #When loading mail contacts the avatars may get 404
+   - evt.Meta.http_status in ['200', '404'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path matches '/apps/mail/api/avatars/(url|image)/' #When loading mail contacts the avatars may get 404, or if you have a lot of contacts, it may trigger crawl-non-static
    - evt.Meta.http_status == '200' && evt.Parsed.static_ressource == 'false' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/photos/api/v1/preview' && evt.Parsed.http_args contains '&x=' && evt.Parsed.http_args contains '&y=' && evt.Parsed.http_args contains 'etag=' #When loading multiple images inside Nextcloud Photos, HTTP Crawl non statics is triggered since the images look like dynamic assets.
    - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Parsed.request == '/ocs/v2.php/apps/text/workspace' && evt.Parsed.http_args contains 'path=%2F' #When opening folders in Nextcloud Files that don't contain a readme.md 404 error is thrown
    - evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/apps/files_trashbin/preview' && evt.Parsed.http_args contains 'fileId=' # 404 error thrown when preview is missing for files in trash bin