Nextcloud Trashbin Issues: Data Loss & File Corruption

Nextcloud, a powerful open-source platform for file sharing and collaboration, offers a robust Trashbin feature designed to protect your data from accidental deletion. However, as with any complex system, issues can arise. This article delves into a specific problem where the Trashbin functionality in Nextcloud, particularly in versions 31.0.7.2 (Enterprise) and potentially earlier, can lead to data loss and file corruption. Let's explore the core problem, its root causes, and potential solutions to ensure your data's integrity within your Nextcloud instance.

Understanding the Core Problem: Orphaned Files in the Trashbin

At the heart of the issue lies a race condition within the Trashbin's move2trash() process. The process involves copying a file to the Trashbin before updating the database to reflect the move. If something interrupts this sequence, like a server crash or a process termination, a significant problem emerges. You end up with an orphaned file – a copy of the deleted file residing in the files_trashbin directory – but without a corresponding entry in the oc_files_trash table. This creates several problems:

• Data Loss: The deleted file consumes storage space without being accessible or manageable through the Nextcloud interface.
• Inconsistent State: The Nextcloud database and the actual file system are out of sync, leading to unpredictable behavior and potential data corruption.
• Difficult Recovery: Standard Nextcloud tools cannot recover these orphaned files because they are not listed in the Trashbin UI.

This issue specifically impacts files stored on external storage, such as Amazon S3, when combined with local storage, like Lustre, that is configured to be the home directory.

Reproducing the Issue: A Step-by-Step Guide

To understand the problem, let's look at the steps to reproduce it. This process, if attempted, should be done in a test environment. Do not attempt this on production data, as it may lead to further data loss:

1. Mount an S3 Bucket: Set up an external storage connection in Nextcloud to an S3 bucket and upload a large file that has no oc_filecache row in the database. This simulates a common scenario where files from external storage are deleted.
2. Trigger the Delete: Delete the uploaded file through the Nextcloud web interface or using WebDAV. This action triggers the Trashbin::move2trash() function.
3. Interrupt the Process: Before the database entry is created, interrupt the PHP worker by sending a kill signal to it. This can be achieved by injecting a fatal error or terminating the PHP process after the file has been moved but before the database insertion.

After these steps, the results will match the Actual Result scenario.

Deep Dive into the Code: The Root Cause Analysis

The core of the problem stems from the way Nextcloud handles the trash move process in Trashbin::move2trash(). Here's a breakdown of the key issues identified:

• Non-Atomic Operations: The file copy operation ($trashStorage->moveFromStorage()) and the database insertion ($query->insert('files_trash')) are not wrapped within a transaction. This means that if the insertion fails after the file copy, the copied file remains in the trash, leading to an inconsistent state.
• Cache Update Omission: The cache updates are skipped when the source file isn't already in the cache ($inCache === false). This means that the copied file in the Trashbin does not get an oc_filecache row, further complicating recovery. This makes it impossible to locate the file, even if it is known to exist.
• Reverse Race Condition: The permanent deletion (Trashbin::delete()) and the cron expiration job, which automatically removes files from the trash, are also susceptible to a similar race condition, potentially leading to data loss in reverse order. In this scenario, the database entry is deleted before the file, resulting in file remnants on disk.

Logs and Evidence: Real-World Scenarios

The logs provided show how the issue manifests in real-world scenarios. In the example, a file with ID