MietzeKatze
MietzeKatze4w ago

Filestorage exposed to attackers at all times

I found out that the the download Urls, that need to be sent to client for files > 20MB , are always there and never expire. Granted the unique identifier in the url has 34^33 possible combinations, which is quite a lot. There is still a chance someone can guess a url and download sensitive data ..... Proof: 1. go to your convex dashboard 2. go to files dashboard and check the html of the download button 3. see the href is already filled with the download link 4. paste the link into a private browser tab, with no authentification or whatever 5. file is served Possible solution: I suggest having an invisible table, where all the urls are stored and an expire data next to it. And before serving there is a check if the url is still active on convex backend side. So users can set an expire data just like in the R2 convex component: https://www.convex.dev/components/cloudflare-r2 
await r2.getUrl(
          storageObjectId,
          // Options object is optional, can be omitted
          {
            // Custom expiration time in seconds, default is 900 (15 minutes)
            expiresIn: 60 * 60 * 24, // 1 day
          }
        ),
await r2.getUrl(
          storageObjectId,
          // Options object is optional, can be omitted
          {
            // Custom expiration time in seconds, default is 900 (15 minutes)
            expiresIn: 60 * 60 * 24, // 1 day
          }
        ),
Convex
Cloudflare R2
Store and serve files from Cloudflare R2.
0 Replies
No replies yetBe the first to reply to this messageJoin

Did you find this page helpful?