Enhancement request/Security question

[walterbender]

Please see:
https://github.com/walterbender/turtleblocksjs/issues/296#issuecomment-269242555

There is both an enhancement request, but more importantly, a security question.

[i5o]

I think that instead of replacing the files, you could add some "random" characters to the end,

"file.tb"
"random_file.tb", similar like GCI website does (but in GCI the random thing is the task id).
Also: "random" needs to be generated from server side, and not client side.

• limit the file extension to ".tb" (server side too)

[samdroid-apps]

On Tue, 2016-12-27 at 18:06 -0800, Ignacio Rodríguez wrote: I think that instead of replacing the files, you could add some "random" characters to the end, "file.tb" "random_file.tb", similar like GCI website does (but in GCI the random thing is the task id). Also: "random" needs to be generated from server side, and not client side.

We could store the metadata (title) in a database and have the file paths random.  If you use something like Django, you can just use a filefield and it does it all for you.

…

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.       {"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c5 5493e4bb","name":"GitHub"},"entity":{"external_key":"github/tchx84/tu rtleblocksjs-server","title":"tchx84/turtleblocksjs- server","subtitle":"GitHub repository","main_image_url":"https://clou d.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6- 95fc- 7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent .com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed- b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/tchx84/turtleblocksjs- ***@***.*** in #5: I think that instead of replacing the files, you could add some \"random\" characters to the end,\r\n\r\n\"file.tb\"\r\n\"random_file.tb\", similar like GCI website does (but in GCI the random thing is the task id).\r\nAlso: \"random\" needs to be generated from server side, and not client side.\r\n"}],"action":{"name":"View Issue","url":"https://github.com/tchx84/turtleblocksjs- server/issues/5#issuecomment-269413033"}}}

[tchx84]

Can someone send a test to reproduce this?

IIRC the server prevents writing anywhere but the projects directory, see https://github.com/tchx84/turtleblocksjs-server/blob/master/server.py#L56 (the project_id is the file name, and should get escaped).

In general, this server never intended to enforce concepts of users or file uniqueness (or any logic at all), this is supposed to be a temporary hack to save and retrieve files using a simple API. I think it would be a great opportunity to ditch it and use or write a proper files backend.