MietzeKatzeM
Convex Communityβ€’3mo ago
MietzeKatze

Filestorage exposed to attackers at all times

I found out that the the download Urls, that need to be sent to client for files > 20MB , are always there and never expire.

Granted the unique identifier in the url has 34^33 possible combinations, which is quite a lot. There is still a chance someone can guess a url and download sensitive data .....

Proof:

1. go to your convex dashboard
2. go to files dashboard and check the html of the download button
3. see the href is already filled with the download link
4. paste the link into a private browser tab, with no authentification or whatever
5. file is served

Possible solution:

I suggest having an invisible table, where all the urls are stored and an expire data next to it. And before serving there is a check if the url is still active on convex backend side.

So users can set an expire data just like in the R2 convex component: https://www.convex.dev/components/cloudflare-r2

await r2.getUrl(
          storageObjectId,
          // Options object is optional, can be omitted
          {
            // Custom expiration time in seconds, default is 900 (15 minutes)
            expiresIn: 60 * 60 * 24, // 1 day
          }
        ),
Convex
Cloudflare R2
Store and serve files from Cloudflare R2.
Cloudflare R2
Was this page helpful?