Filestorage exposed to attackers at all times
๐ชฒBug Report
I found out that the the download Urls, that need to be sent to client for files > 20MB , are always there and never expire.
Granted the unique identifier in the url has 34^33 possible combinations, which is quite a lot. There is still a chance someone can guess a url and download sensitive data .....
Proof:
1. go to your convex dashboard
2. go to files dashboard and check the html of the download button
3. see the href is already filled with the download link
4. paste the link into a private browser tab, with no authentification or whatever
5. file is served
Possible solution:
I suggest having an invisible table, where all the urls are stored and an expire data next to it. And before serving there is a check if the url is still active on convex backend side.
So users can set an expire data just like in the R2 convex component: https://www.convex.dev/components/cloudflare-r2
Granted the unique identifier in the url has 34^33 possible combinations, which is quite a lot. There is still a chance someone can guess a url and download sensitive data .....
Proof:
1. go to your convex dashboard
2. go to files dashboard and check the html of the download button
3. see the href is already filled with the download link
4. paste the link into a private browser tab, with no authentification or whatever
5. file is served
Possible solution:
I suggest having an invisible table, where all the urls are stored and an expire data next to it. And before serving there is a check if the url is still active on convex backend side.
So users can set an expire data just like in the R2 convex component: https://www.convex.dev/components/cloudflare-r2
