nil pointer deref in web defaultconfig.go

[ElementW]

Describe the bug

Setting up OpenCloud with a config freshly created by opencloud init --insecure true --config-path <path> consistently triggers a null pointer dereference in services/web/pkg/config/defaults/defaultconfig.go:164.

Steps to reproduce

These steps are performed with NixOS unstable 2fbfb1d. OC version is 4.0.0.

1. Configure

   services.opencloud = {
     enable = true;
     url = "https://${domain}";
   };

2. Switch system to the new config
   1. Starts a systemd unit that runs opencloud init --insecure true --config-path /etc/opencloud/opencloud.yaml
   2. Starts the main systemd unit running opencloud server

Expected behavior

No crash.
Even if baremetal/NixOS is not officially supported, at least an error message saying config validation failed.

Actual behavior

opencloud: Failed service 'service.SutureService{exec:(func(context.Context) error)(0x2cf0d60)}' (5.999832 failures of 5.000000), restarting: false, panic: runtime error: invalid memory address or nil pointer dereference, stacktrace: goroutine 850 [running]:
github.com/thejerf/suture/v4.(*Supervisor).runService.func2.1()
	github.com/thejerf/suture/v4@v4.0.6/supervisor.go:549 +0x7e
panic({0x325bea0?, 0x6287b40?})
	runtime/panic.go:783 +0x132
github.com/thejerf/suture/v4.(*Supervisor).runService.func2.2()
	github.com/thejerf/suture/v4@v4.0.6/supervisor.go:566 +0xb1
panic({0x325bea0?, 0x6287b40?})
	runtime/panic.go:783 +0x132
github.com/opencloud-eu/opencloud/services/web/pkg/config/defaults.Sanitize(0xc0024be388)
	github.com/opencloud-eu/opencloud/services/web/pkg/config/defaults/defaultconfig.go:164 +0xf4
github.com/opencloud-eu/opencloud/services/web/pkg/config/parser.ParseConfig(0xc0024be388)
	github.com/opencloud-eu/opencloud/services/web/pkg/config/parser/parse.go:36 +0xb4
github.com/opencloud-eu/opencloud/services/web/pkg/command.Server.func1(0xc00232a600?)
	github.com/opencloud-eu/opencloud/services/web/pkg/command/server.go:29 +0x17
github.com/urfave/cli/v2.(*Command).Run(0xc002310f20, 0xc00232a600, {0xc00230d840, 0x1, 0x1})
	github.com/urfave/cli/v2@v2.27.7/command.go:216 +0x4f4
github.com/urfave/cli/v2.(*Command).Run(0xc0023114a0, 0xc00232a540, {0xc000052260, 0x2, 0x2})
	github.com/urfave/cli/v2@v2.27.7/command.go:269 +0xa30
github.com/urfave/cli/v2.(*App).RunContext(0xc00231aa00, {0x44533d0, 0xc001b67720}, {0xc000052260, 0x2, 0x2})
	github.com/urfave/cli/v2@v2.27.7/app.go:333 +0x5a5
github.com/opencloud-eu/opencloud/services/web/pkg/command.Execute(0xc0024be388)
	github.com/opencloud-eu/opencloud/services/web/pkg/command/root.go:33 +0xca
github.com/opencloud-eu/opencloud/opencloud/pkg/runtime/service.NewService.func28({0x44533d0?, 0xc001b67720?}, 0x0?)
	github.com/opencloud-eu/opencloud/opencloud/pkg/runtime/service/service.go:270 +0x7c
github.com/opencloud-eu/opencloud/opencloud/pkg/runtime/service.NewService.NewService.func1.NewSutureServiceBuilder.func73.1({0x44533d0?, 0xc001b67720?})
	github.com/opencloud-eu/opencloud/opencloud/pkg/runtime/service/sutureservice.go:20 +0x25
github.com/opencloud-eu/opencloud/opencloud/pkg/runtime/service.SutureService.Serve({0x0?}, {0x44533d0?, 0xc001b67720?})
	github.com/opencloud-eu/opencloud/opencloud/pkg/runtime/service/sutureservice.go:28 +0x26
github.com/thejerf/suture/v4.(*Supervisor).runService.func2()
	github.com/thejerf/suture/v4@v4.0.6/supervisor.go:570 +0xd8
created by github.com/thejerf/suture/v4.(*Supervisor).runService in goroutine 101
	github.com/thejerf/suture/v4@v4.0.6/supervisor.go:544 +0x18b
","service":"service.SutureService{exec:(func(context.Context) error)(0x2cf0d60)}

Providing a web.yaml config with the following resolves this specific issue and OC starts up properly, the contents being made to satisfy Sanitize():

web:
  config:
    options:
      accountEditLink:
        href: ""
      editor:
        autosaveEnabled: false
      feedbackLink:
        href: ""
        ariaLabel: ""
        description: ""
      upload:
        companionUrl: ""
      embed:
        enabled: ""
        target: ""
        messagesOrigin: ""
        delegateAuthentication: true
        delegateAuthenticationOrigin: ""

Setup

NixOS unstable 2fbfb1d, OC fetched from git tag 4.0.0.

No other config file than /etc/opencloud/opencloud.yaml exist.

/etc/opencloud/opencloud.yaml

token_manager:
  jwt_secret: u80Xn8!zRcWTg-XsxA2*vLE0%69TvRRe
machine_auth_api_key: NlV30.VbHalSLPGZkn6c4QJ0+f*lffbb
system_user_api_key: SPxHi3CxoqDEx01*2b3iQtrk9vmkhDY1
transfer_secret: 69@P2IC=*8P4QtvhunPIxF@d*F@gB#j=
url_signing_secret: '*M3PF6bS@hwBi$oGxTb.KjO=FSuV$zY@'
system_user_id: 68691558-54ff-4ac3-9135-4fb714161650
admin_user_id: 8506445d-c751-4e55-a1b0-ebe022eead3c
graph:
  application:
    id: 0d80b0dc-eaa2-42c8-abe1-ad060fd32e98
  events:
    tls_insecure: true
  spaces:
    insecure: true
  identity:
    ldap:
      bind_password: Z!m#Z&CDaye3ovq1FpO6nNgFX12mC#0Z
  service_account:
    service_account_id: 08a95ed4-9275-4dd7-8e67-fb2bd5a561f5
    service_account_secret: Mb%Kg0d.s%83ERP3jUsVNjufd3e*faqS
idp:
  ldap:
    bind_password: yTL5Px%L%n3%GJg&dkMz=iloqjgB=GLl
idm:
  service_user_passwords:
    admin_password: n2F.lmwcKL^AYOu*c1%INr=ydR^LzYCM
    idm_password: Z!m#Z&CDaye3ovq1FpO6nNgFX12mC#0Z
    reva_password: =v&rFI!%kwwpC!h5Fg@8nZ@@Yb9VWvIL
    idp_password: yTL5Px%L%n3%GJg&dkMz=iloqjgB=GLl
collaboration:
  wopi:
    secret: a+#$PSazgXNC-GY#QZi&3ppe#Eg#%6vr
  app:
    insecure: true
proxy:
  oidc:
    insecure: true
  insecure_backends: true
  service_account:
    service_account_id: 08a95ed4-9275-4dd7-8e67-fb2bd5a561f5
    service_account_secret: Mb%Kg0d.s%83ERP3jUsVNjufd3e*faqS
frontend:
  app_handler:
    insecure: true
  archiver:
    insecure: true
  service_account:
    service_account_id: 08a95ed4-9275-4dd7-8e67-fb2bd5a561f5
    service_account_secret: Mb%Kg0d.s%83ERP3jUsVNjufd3e*faqS
auth_basic:
  auth_providers:
    ldap:
      bind_password: =v&rFI!%kwwpC!h5Fg@8nZ@@Yb9VWvIL
auth_bearer:
  auth_providers:
    oidc:
      insecure: true
users:
  drivers:
    ldap:
      bind_password: =v&rFI!%kwwpC!h5Fg@8nZ@@Yb9VWvIL
groups:
  drivers:
    ldap:
      bind_password: =v&rFI!%kwwpC!h5Fg@8nZ@@Yb9VWvIL
ocdav:
  insecure: true
ocm:
  service_account:
    service_account_id: 08a95ed4-9275-4dd7-8e67-fb2bd5a561f5
    service_account_secret: Mb%Kg0d.s%83ERP3jUsVNjufd3e*faqS
thumbnails:
  thumbnail:
    transfer_secret: kXU3dYw+alJT5cNJ+d4wxAc-c*pfurYK
    webdav_allow_insecure: true
    cs3_allow_insecure: true
search:
  events:
    tls_insecure: true
  service_account:
    service_account_id: 08a95ed4-9275-4dd7-8e67-fb2bd5a561f5
    service_account_secret: Mb%Kg0d.s%83ERP3jUsVNjufd3e*faqS
audit:
  events:
    tls_insecure: true
settings:
  service_account_ids:
  - 08a95ed4-9275-4dd7-8e67-fb2bd5a561f5
sharing:
  events:
    tls_insecure: true
storage_users:
  events:
    tls_insecure: true
  mount_id: 7b46e428-9684-407e-a09e-c560868e0e3d
  service_account:
    service_account_id: 08a95ed4-9275-4dd7-8e67-fb2bd5a561f5
    service_account_secret: Mb%Kg0d.s%83ERP3jUsVNjufd3e*faqS
notifications:
  notifications:
    events:
      tls_insecure: true
  service_account:
    service_account_id: 08a95ed4-9275-4dd7-8e67-fb2bd5a561f5
    service_account_secret: Mb%Kg0d.s%83ERP3jUsVNjufd3e*faqS
nats:
  nats:
    tls_skip_verify_client_cert: true
gateway:
  storage_registry:
    storage_users_mount_id: 7b46e428-9684-407e-a09e-c560868e0e3d
userlog:
  service_account:
    service_account_id: 08a95ed4-9275-4dd7-8e67-fb2bd5a561f5
    service_account_secret: Mb%Kg0d.s%83ERP3jUsVNjufd3e*faqS
auth_service:
  service_account:
    service_account_id: 08a95ed4-9275-4dd7-8e67-fb2bd5a561f5
    service_account_secret: Mb%Kg0d.s%83ERP3jUsVNjufd3e*faqS
clientlog:
  service_account:
    service_account_id: 08a95ed4-9275-4dd7-8e67-fb2bd5a561f5
    service_account_secret: Mb%Kg0d.s%83ERP3jUsVNjufd3e*faqS
activitylog:
  service_account:
    service_account_id: 08a95ed4-9275-4dd7-8e67-fb2bd5a561f5
    service_account_secret: Mb%Kg0d.s%83ERP3jUsVNjufd3e*faqS

opencloud.service

[Unit]
After=network.target
Description=OpenCloud - a secure and private way to store, access, and share your files

[Service]
Environment="IDP_ASSET_PATH=/nix/store/ix4k7zrki2l220pwqikl3hhz5lj5fbqf-opencloud-idp-web-4.0.0/assets"
Environment="LOCALE_ARCHIVE=/nix/store/szh016042w8pzbgh079np1shv1l198b5-glibc-locales-2.40-66/lib/locale/locale-archive"
Environment="OC_BASE_DATA_PATH=/var/lib/opencloud"
Environment="OC_CONFIG_DIR=/etc/opencloud"
Environment="OC_INSECURE=true"
Environment="OC_URL=https://cloud.elementw.net"
Environment="PATH=/nix/store/imad8dvhp77h0pjbckp6wvmnyhp8dpgg-coreutils-9.8/bin:/nix/store/av4xw9f56xlx5pgv862wabfif6m1yc0a-findutils-4.10.0/bin:/nix/store/x3zjxxz8m4ki88axp0gn8q8m6bldybba-gnugrep-3.12/bin:/nix/store/drc7kang929jaza6cy9zdx10s4gw1z5p-gnused-4.9/bin:/nix/store/zf8qy81dsw1vqwgh9p9n2h40s1k0g2l1-systemd-258.2/bin:/nix/store/imad8dvhp77h0pjbckp6wvmnyhp8dpgg-coreutils-9.8/sbin:/nix/store/av4xw9f56xlx5pgv862wabfif6m1yc0a-findutils-4.10.0/sbin:/nix/store/x3zjxxz8m4ki88axp0gn8q8m6bldybba-gnugrep-3.12/sbin:/nix/store/drc7kang929jaza6cy9zdx10s4gw1z5p-gnused-4.9/sbin:/nix/store/zf8qy81dsw1vqwgh9p9n2h40s1k0g2l1-systemd-258.2/sbin"
Environment="PROXY_HTTP_ADDR=127.0.0.1:9200"
Environment="TZDIR=/nix/store/xaa75rd44q62nc9mrbvym9d1m6gy0fj8-tzdata-2025b/share/zoneinfo"
Environment="WEB_ASSET_CORE_PATH=/nix/store/v8fzqqabnb208h7pk89m4y8mwjvkbxzw-opencloud-web-4.2.1"
ExecStart=/nix/store/7p9n09gn1zd25cy6x4lnps654121lm1g-opencloud-4.0.0/bin/opencloud server
Group=opencloud
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths=/var/lib/opencloud
Restart=always
RestrictAddressFamilies=AF_UNIX
RestrictAddressFamilies=AF_INET
RestrictAddressFamilies=AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
Type=simple
User=opencloud
WorkingDirectory=/var/lib/opencloud

[Install]
WantedBy=multi-user.target

opencloud-init-config.service

[Unit]
Before=opencloud.service
Description=Provision initial OpenCloud config

[Service]
Environment="IDP_ASSET_PATH=/nix/store/ix4k7zrki2l220pwqikl3hhz5lj5fbqf-opencloud-idp-web-4.0.0/assets"
Environment="LOCALE_ARCHIVE=/nix/store/szh016042w8pzbgh079np1shv1l198b5-glibc-locales-2.40-66/lib/locale/locale-archive"
Environment="OC_BASE_DATA_PATH=/var/lib/opencloud"
Environment="OC_CONFIG_DIR=/etc/opencloud"
Environment="OC_INSECURE=true"
Environment="OC_URL=https://cloud.elementw.net"
Environment="PATH=/nix/store/7p9n09gn1zd25cy6x4lnps654121lm1g-opencloud-4.0.0/bin:/nix/store/imad8dvhp77h0pjbckp6wvmnyhp8dpgg-coreutils-9.8/bin:/nix/store/av4xw9f56xlx5pgv862wabfif6m1yc0a-findutils-4.10.0/bin:/nix/store/x3zjxxz8m4ki88axp0gn8q8m6bldybba-gnugrep-3.12/bin:/nix/store/drc7kang929jaza6cy9zdx10s4gw1z5p-gnused-4.9/bin:/nix/store/zf8qy81dsw1vqwgh9p9n2h40s1k0g2l1-systemd-258.2/bin:/nix/store/7p9n09gn1zd25cy6x4lnps654121lm1g-opencloud-4.0.0/sbin:/nix/store/imad8dvhp77h0pjbckp6wvmnyhp8dpgg-coreutils-9.8/sbin:/nix/store/av4xw9f56xlx5pgv862wabfif6m1yc0a-findutils-4.10.0/sbin:/nix/store/x3zjxxz8m4ki88axp0gn8q8m6bldybba-gnugrep-3.12/sbin:/nix/store/drc7kang929jaza6cy9zdx10s4gw1z5p-gnused-4.9/sbin:/nix/store/zf8qy81dsw1vqwgh9p9n2h40s1k0g2l1-systemd-258.2/sbin"
Environment="PROXY_HTTP_ADDR=127.0.0.1:9200"
Environment="TZDIR=/nix/store/xaa75rd44q62nc9mrbvym9d1m6gy0fj8-tzdata-2025b/share/zoneinfo"
Environment="WEB_ASSET_CORE_PATH=/nix/store/v8fzqqabnb208h7pk89m4y8mwjvkbxzw-opencloud-web-4.2.1"
ExecStart=/nix/store/andlyp9zn2jw7yazv0apj87whjv3wnm5-unit-script-opencloud-init-config-start/bin/opencloud-init-config-start 
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths=/etc/opencloud
RestrictAddressFamilies=AF_UNIX
RestrictAddressFamilies=AF_INET
RestrictAddressFamilies=AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
Type=oneshot

[Install]
WantedBy=multi-user.target

opencloud-init-config-start script called from above systemd unit

#!/nix/store/rlq03x4cwf8zn73hxaxnx0zn5q9kifls-bash-5.3p3/bin/bash
set -e

set -x
config="${OC_CONFIG_DIR}/opencloud.yaml"
if [ ! -e "$config" ]; then
  echo "Provisioning initial OpenCloud config..."
  opencloud init --insecure "${OC_INSECURE:false}" --config-path "${OC_CONFIG_DIR}"
  chown opencloud:opencloud "$config"
fi

Additional context

Sanitize() in services/web/pkg/config/defaults/defaultconfig.go seems to be lacking null checks, causing this. Oversight looks obvious especially since that very same code sets the pointers to nil in some circumstances to begin with.

[fschade]

@ElementW thanks for your report, specially for bringing opencloud to nix-pkgs!

Thats really strange since cfg.Web.Config.Options.XXX should never be nil by default as you can see here.

Could you do me a favor and test the same thing with our current main branch? We recently made some changes to our CLI and I'd like to know if it's still failing.

Generally, it would be easy to implement a nil check here... however, as already mentioned, it should never be nil at this point.

[fschade]

@ElementW, i was intrigued to take a closer look at what wasn't working, so I did the following.

nix-shell -p go git pnpm nodejs

git clone https://github.com/opencloud-eu/opencloud.git

cd opencloud/

make clean generate

cd opencloud/

make build

./bin/opencloud init --insecure true --config-path /etc/opencloud/opencloud.yaml

Then I noticed the following file 🤣

/etc/opencloud/opencloud.yaml/opencloud.yaml

It must be --config-path /etc/opencloud, and not --config-path /etc/opencloud/opencloud.yaml

--config-path = Config path for the OpenCloud runtime (default "/root/.opencloud/config")

./bin/opencloud init --insecure true --config-path /etc/opencloud

Please check again if everything is working now.

[fschade]

one last thing, please keep in mind, the server ($ opencloud server) needs to know where to find its files, the following environment variables might be helpful.

OC_BASE_DATA_PATH, and OC_CONFIG_DIR

happy to see a working nix-pkg :)

[ElementW]

@fschade opencloud-init-config.service does specify Environment="OC_CONFIG_DIR=/etc/opencloud" and the script calls opencloud init --insecure "${OC_INSECURE:false}" --config-path "${OC_CONFIG_DIR}"; the directory path is correct, and indeed the main opencloud.yaml file is in the correct location. Same for opencloud server, said generated file is picked up by the instance; to be honest I don't see anything wrong with them.

In fact I now have a properly set up and running OC 4.0.0 instance, I just had to fiddle with the config so web.yaml contained at least some config (or just existed at all, didn't test thoroughly), so the Nix package & service declaration files seem to work correctly and somehow OC chokes on bad/missing web.yaml even though it shouldn't, hence this bug report and not a nixpkgs issue.

As for testing on main branch I will try but can't guarantee having enough free time in the following week or two, with the holiday celebrations, 39C3, and so on. That said when investigating the source of the issue I didn't notice any commit since 4.0 that would change the outcome, so I expect no difference there tbh.

[fschade]

It's me again. I just tried to reproduce the problem on my server again... no matter what I do... I'm not getting any nil pointer errors!

I'm using:

NixOS 6.12.63

and the following flake:

# flake.nix

{
  description = "Modern OpenCloud dev shell";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/master";
  };

  outputs = { self, nixpkgs }:
    let
      system = "x86_64-linux";
      pkgs = import nixpkgs { inherit system; };
      opencloud = pkgs.callPackage ./pkg/opencloud { };
    in
    {
      devShells.${system}.default = pkgs.mkShell {
        packages = [
          opencloud
        ];

        OC_LOG_LEVEL = "info";
        OC_LOG_PRETTY = "true";
        OC_LOG_COLOR = "true";
        OC_INSECURE = "true";
        PROXY_ENABLE_BASIC_AUTH = "true";
        IDM_CREATE_DEMO_USERS = "true";
        IDM_ADMIN_PASSWORD = "admin";
        OC_URL = "https://10.42.10.146:9200";

        shellHook = ''
          echo "🚀 Entered OpenCloud dev environment"
        '';
      };
    };
}

# pkk/opencloud/default.nix

{ lib
, stdenv
, go
, fetchFromGitHub
, fetchurl
, nodejs
, pnpm_9
, ncurses
, gnumake
, which
}:

let
  oc = {
    version = "4.1.0";
    src = fetchFromGitHub {
      owner = "opencloud-eu";
      repo = "opencloud";
      rev = "v${oc.version}";
      hash = "sha256-sZcGDE/CwB/u9LxsfFY/m4o58NjXMgTX0yx719R+wjc=";
    };
  };

  web = {
    version = "4.3.0";
    src = fetchurl {
      url = "https://github.com/opencloud-eu/web/releases/download/v${web.version}/web.tar.gz";
      sha256 = "sha256-7mlqTABMniitaLr0ETAbeAwQSgy0KxMlzASA8uguXHE=";
    };
  };

in
stdenv.mkDerivation rec {
  pname = "openCloud";
  version = oc.version;

  src = oc.src;

  nativeBuildInputs = [ go nodejs pnpm_9 ncurses gnumake which ];

  preConfigure = ''
    export HOME=$(mktemp -d)
    pnpm config set strict-ssl false
  '';

  buildPhase = ''
    chmod -R u+w .

    echo "🚧 Prepare services/web ..."
    tar xzf ${web.src} -C services/web/assets/core

    echo "🚧 Prepare services/idp ..."
    pushd services/idp
    pnpm install
    pnpm run build
    popd

    echo "🚧 Build server ${version} ..."
    make -C opencloud build
  '';

  installPhase = ''
    mkdir -p $out/bin
    cp opencloud/bin/opencloud $out/bin/opencloud
  '';

  meta = with lib; {
    description = "OpenCloud server v${version} and web ${web.version}";
    homepage = "https://github.com/opencloud-eu/opencloud";
    license = licenses.asl20;
    platforms = platforms.linux;
  };
}

running it:

nix develop --no-sandbox
opencloud init
opencloud server

Could you please double-check if maybe something else is wrong?

Yes, we don't officially support nixOS, but this error still makes me wonder what's going on... because, as I said, that part should not be nil due to the defaults.

Thanks in advance.

[mannp]

I am getting the same issue starting fresh for the first time with v4.1, using the nix module.