Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Some Security considerations + docker size #62

Open
LordPraslea opened this issue Sep 14, 2023 · 3 comments
Open

Some Security considerations + docker size #62

LordPraslea opened this issue Sep 14, 2023 · 3 comments

Comments

@LordPraslea
Copy link

Hi

Project sounds interesting. I love that it's lightweight (somewhat) and that it can run on a RPI. i've been searching for something like this built in GO for a while.

Some security considerations, i didn't do a full audit or exploration (seems to avoid basic XSS at the moment)
Wouldn't it be better to somehow obfuscate the admin page/button? And instead use an admin user which is generated and chosen BY the user upon init. This will avoid brute force attacks.

As for the docker, you could use a multistage build. This will make the docker size smaller and will only copy the resulted binary and website instead of the whole sourcecode and nodejs libs which are probably not usefull.
https://docs.docker.com/build/building/multi-stage/

Nice job!

@balzack
Copy link
Owner

balzack commented Sep 14, 2023

I will look into the multistage build; I was not aware of this. Is this why you said it was "somewhat" lightweight, or do you see other things that can be optimized?

I agree with your point on adding admin privileges to an account; I see that as a better implementation. This would require a larger refactor, so is probably a ways out before I can get to it.

@LordPraslea
Copy link
Author

By lightweight i meant that in theory, after the frontend is built it could be embeded it into the golang binary as 1 executable using the https://pkg.go.dev/embed package. This could make it that you can actually release the binaries instead of using docker, and integrating the binary directly into an alpine/slim debian docker for people who want to use docker. See also point 3.

I found another pretty big security issue, the admin token is sent as a GET parameter which has a few issues

  1. It's stored in the docker logs and/or it would be stored in the server logs (access logs, proxy logs..), which can give anyone access to it. LEt's say you use a reverse proxy between.. well then it certainly gets stored somewhere. It would be better to pass it off as POST OR use it initially to build a JWT (or anyother token which expires) and send that token instead.
  2. It's also stored unencrypted/unhashed in the sqlite DB.

I played around with the app via a local docker instance which was reverse proxied with SSH to a subdomain.

  1. Your whole build process could in reality be simplified and streamlined by using something such as HTMX for the frontend as it could be directly embedded in the app without the need for building react. But this is possibly a large refactoring for the moment :)

@balzack
Copy link
Owner

balzack commented Sep 15, 2023

Firstly, thanks for your review of the project! I really appreciate your time and knowledge.

Thanks for the go package suggestion. I'll need to figure out how to do that, but it seems like a great way to make this project more accessible.

As to your other points:

  1. Is there a scenario in which someone could have access to the logs that isn't a system admin? Originally I had transferred the auth tokens within the HTTP header. Eventually when I built the mobile app I had to move the token to a query param, because the core image object in react native doesn't support customizing the HTTP header. If the logs are exposed to a non-admin, then I absolutely need to come up with a different solution.
  2. Good point. For my use case, I use a single purpose token, but that doesn't apply to everyone. I will update the store for this to use a salted-hash.
  3. I haven't programmed with HTMLX before, so perhaps my view is incorrect. I had read that HTMLX isn't desirable if your app has a lot of javascript code. Because the databag client needs to synchronize a view of a distributed database, it ends up doing a lot in javascript, and HTMLX wasn't a good fit. Please let me know if I am misinformed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants