[Bug]: files_external SFTP can loop infinitely on symlink and fill databases and prevent cron to finish

[guerby]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

files_external SFTP does not treat specially symbolic links so if a target directory of a symbolic link is "upward" nextcloud file indexer will loop infinitely which will fill the nextcloud database and prevent regular cron jobs from completing

Steps to reproduce

1. Setup an SFTP files_external to a user home directory
2. In this user home directory have a symbolic link "test" pointing to any "upward" directory eg "." or ".." or "/"
3. Wait for the cron to run and try to index
4. watch as the cron does not finishes and the database grows and grows to several gigabytes

Expected behavior

Nextcloud works normally, for example ignoring symbolic links completely in external_files SFTP or making sure it doesn't loop following them.

Nextcloud Server version

31

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.3

Web server

Nginx

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

php -f /opt/nextcloud/occ config:list system
{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nc.example.org",
            "nc.example.org",
            "A.B.C.D"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "31.0.3.2",
        "overwrite.cli.url": "http:\/\/localhost",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "FR",
        "updater.release.channel": "stable",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": "0"
        },
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "skeletondirectory": "",
        "maintenance_window_start": "2",
        "maintenance": false,
        "mail_smtpmode": "sendmail",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "loglevel": 2,
        "theme": "",
        "defaultapp": "files",
        "share_folder": "\/85-Shared",
    }
}

List of activated Apps

php -f /opt/nextcloud/occ app:list
Enabled:
  - activity: 4.0.0
  - app_api: 5.0.2
  - assistant: 2.4.0
  - bookmarks: 15.1.0
  - bruteforcesettings: 4.0.0
  - calendar: 5.2.1
  - call_summary_bot: 3.0.1
  - circles: 31.0.0
  - cloud_federation_api: 1.14.0
  - collectives: 2.16.1
  - comments: 1.21.0
  - contacts: 7.0.6
  - contactsinteraction: 1.12.0
  - context_chat: 4.2.0
  - dashboard: 7.11.0
  - dav: 1.33.0
  - deck: 1.15.0
  - federatedfilesharing: 1.21.0
  - federation: 1.21.0
  - files: 2.3.1
  - files_downloadlimit: 4.0.0
  - files_external: 1.23.0
  - files_pdfviewer: 4.0.0
  - files_reminders: 1.4.0
  - files_sharing: 1.23.1
  - files_trashbin: 1.21.0
  - files_versions: 1.24.0
  - firstrunwizard: 4.0.0
  - forms: 5.1.0
  - groupfolders: 19.0.4
  - logreader: 4.0.0
  - lookup_server_connector: 1.19.0
  - mail: 5.0.0
  - nextcloud_announcements: 3.0.0
  - notifications: 4.0.0
  - oauth2: 1.19.1
  - onlyoffice: 9.8.0
  - password_policy: 3.0.0
  - photos: 4.0.0-dev.1
  - privacy: 3.0.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - recognize: 9.0.1
  - recommendations: 4.0.0
  - related_resources: 2.0.0
  - serverinfo: 3.0.0
  - settings: 1.14.0
  - sharebymail: 1.21.0
  - spreed: 21.0.2
  - support: 3.0.0
  - survey_client: 3.0.0
  - systemtags: 1.21.1
  - text: 5.0.0
  - theming: 2.6.1
  - twofactor_backupcodes: 1.20.0
  - updatenotification: 1.21.0
  - user_saml: 6.5.0
  - user_status: 1.11.0
  - viewer: 4.0.0
  - weather_status: 1.11.0
  - webhook_listeners: 1.2.0
  - whiteboard: 1.0.5
  - workflowengine: 2.13.0
Disabled:
  - admin_audit: 1.21.0
  - encryption: 2.19.0
  - suspicious_login: 9.0.1
  - twofactor_nextcloud_notification: 5.0.0
  - twofactor_totp: 13.0.0-dev.0
  - user_ldap: 1.22.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

Additional info

No response