Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix potential DoS #336

Merged
merged 1 commit into from
Sep 5, 2023
Merged

Fix potential DoS #336

merged 1 commit into from
Sep 5, 2023

Conversation

duggalsu
Copy link
Contributor

@ghost
Copy link

ghost commented Aug 22, 2023

👇 Click on the image for a new way to code review

Review these changes using an interactive CodeSee Map

Legend

CodeSee Map legend

@dennyabrain
Copy link
Contributor

Thanks. Will take me some time to test this. Will keep you posted.

@duggalsu
Copy link
Contributor Author

@dennyabrain There is a limit of 8mb file size now. So if you try uploading an image greater than 8mb, it should fail

@dennyabrain
Copy link
Contributor

really cool :)
I still need to check the API, right? or were you able to verify this works?

@duggalsu
Copy link
Contributor Author

No, I can't test this from my end. You will have to test this.

@dennyabrain
Copy link
Contributor

@aatmanvaidya We need to test this code block basically :

Uli/browser-extension/api-server/index.js

Lines 120 to 161 in 93eab95

app.post("/archive", upload.single("screenshot"), async (req, res) => {
console.log("archive POST request");
try {
const fileName = req.file.key;
const s3URL = req.file.location;
const { url } = req.body;
const user = req.user;
await post.create({
userId: user.id,
sourceUrl: url,
permanentUrl: null,
tags: null,
screenshot: fileName,
});
const result = await preference.findOne({
where: {
userId: user.id,
},
});
resultPlain = result.get({ plain: true });
resultPlain = { ...resultPlain, email: decrypt(resultPlain.email) };
console.log({ resultPlain });
if (
(result != null && resultPlain.email != undefined) ||
resultPlain.email != null
) {
await sendArchiveEmail(
resultPlain.email,
url,
`https://uli-media.tattle.co.in/${fileName}`
);
}
res.send({ msg: "Tweet Archived" });
} catch (err) {
res.status(501).send({ msg: "Error archiving tweet" });
}
});

its an POST endpoint called /archive
This allows us to send an image. This handler also uploads this image to aws S3 and sends an email using aws SES. So this exercise will be helpful for you to get used to those services. Just follow the code in this function to get a working understanding of the services. I will share the credentials you have to use

@duggalsu can you share the cURL command here we came up with here?

@duggalsu
Copy link
Contributor Author

@dennyabrain Here is the curl command

$ curl -v -H "Authorization: token <ACTUAL-TOKEN>" -H "Content-Type: multipart/form-data" -F url="anything" -F screenshot="screenshot.png" localhost:3000/archive

You can get the accessToken by running this command

$ curl GET http://localhost:3000/auth/register

@dennyabrain
Copy link
Contributor

We learnt that multer multipart upload doesn't play well with curl - expressjs/multer#666
we were able to test using Hoppscotch that the 8mb file limit is indeed respected.

Closing this.

@dennyabrain dennyabrain merged commit bb8a14c into tattle-made:main Sep 5, 2023
2 checks passed
@duggalsu duggalsu deleted the fix_dos branch November 29, 2023 10:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@duggalsu @dennyabrain