Loss of passwords via unrelated Import - after database "split"

[lionkmp]

Overview

All my passwords got deleted today - restored from backup and disabled IMPORT feature to save them. This happened only once, I have not attempted to reproduce, but I can easily tell what I did. Very complex to reproduce.

Steps to Reproduce

1. I had a big database of passwords, some for Linux (6-7 groups), some for Windows (2 groups), a very few common (mixed in the groups). (I basically managed this on Linux, and sometimes copied over to the NTFS Windows disk.)
2. I decided to separate Linux / Windows passwords
3. I made a COPY of the database and called it keepass_windows, use that on Windows, named the one remaining on linux as keepass_linux.kbdx.
4. In Windows version I deleted all groups that are not needed there. (2 groups remained) (In Linux not yet!)
5. In Linux, make a SHARE to Windows NTFS partition, EXPORT ONLY - and moved all those passwords there that are now missing on Windows.
6. In Windows, read the SHARE via IMPORT ONLY. (This way the Windows database has 3 groups: the 2 that were not deleted, and the SHARE.)
7. So far all works fine - Please note that I do understand that items have a Unique Identifier, so at this point some items are "related" in the two databases. But the two database files are independently opened so they should have no effect. (There is now keepass_linux.kbdx and keepass_windows.kbdx, and share.kbdx)
8. After some weeks, it worked OK, so I decided it's time to delete the two Windows Groups from keepass_linux.kbdx database on Linux - yet again, moving some more items to SHARE that I noticed I would miss on Linux (on Linux side). (But only a few items.)
9. Start up windows: the 2 Windows-only groups got EMPTIED (There remained only 3 items total, those that were added since the split or was moved to SHARED at point 8. There were at least 40-50 entries lost!)

Expected Behavior

I expect that deleting the Windows-only groups on the Linux database, will not make them SYNC via the IMPORTed THIRD group.

Actual Behavior

Lost all items from keepass_windows.kbdx when I opened the database on Windows after deleting those on Linux from keepass_linux.kbdx - somehow the deletion sneaked over via SHARED group.

Note that the SHARED group is called "SHARED" on both OS, it is an Export only on Linux, and exported to the NFTS disk on name SHARED.kbdx. And it is read on Windows side with Import only. I think this group somehow added all the deletion commands of Windows entries. I expected that no changes outside this SHARED group would "sync" via it.

Before opening the backup, I renamed SHARED.kbdx to SHARED2.kbdx to make sure the Windows database won't be able to reproduce this problem. But if you want, I can try naming it SHARED.kbdx and opening the restored database to see if that deletes the items. For now, I have all my "lost" passwords, from the daily backup from yesterday, and I disabled both Export and Import.

Thanks in advance if you have any comments on this.

Context

KeePassXC - Linux: 2.7.5, Windows: 2.7.5
Revision: Linux: 9d0537b

Operating System: Windows + Linux
Desktop Env: Gnome -Ubuntu
Windowing System: X11/Wayland

[lionkmp]

I made a quick test and reproduced the last part:

• I copied my restored good db to "keepass_windows(1) Copy.kbdx"
• opened it, and confirmed it has all my passwords in Group 1 and Group 2
• now, activated the Import on the third group, that is called SHARED

All password were gone from Group 1 and Group 2 again. (Expect those few that were never present on my Linux version, so that were added on Windows after the "split".)

[droidmonkey]

Please see #6477