Here ForAwhile / nanogram · GitLab
gitlab.com
GitLab.com

Documentation for nanogram available here for awhile

Edit: Dont be a ungrateful Be nice pls. I put a lot of time, effort, and my own money into making this. I’m choosing to freely share it :)

Yes I get help from LLM’s. Review the code if you think it’s unsafe, or just move on and don’t use it. Happy to answer any technical questions.

Edit 2: Expanded source code for termux version here.

Edit 3: Expanded source for pi version here

  • SavvyWolf@pawb.socialEnglish
    1·
    6 hours ago

    Had a quick skim and found this little guy:

    # ---------- Protected media route ----------
@app.route('/img/<path:name>')
@login_required
def media(name):
    db = SessionLocal()
    try:
        me = current_user(db)
        # Find the post with this image
        post = db.query(Post).filter_by(image_path=name).first()
        if post:
            # Check visibility
            can_view = post.user_id == me.id or db.query(UserVisibility).filter_by(
                owner_id=post.user_id, viewer_id=me.id
            ).first() is not None
            if not can_view:
                abort(403)
        return send_from_directory(UPLOAD_DIR, os.path.basename(name))
    finally:
        db.close()

    I’ve not read through everything, but there are some security concerns that jump out to me from just this function. Hopefully you can enlighten me on them.

    Firstly, what is stopping a logged in user from accessing any image that, for whatever reason, doesn’t have an associated post for it?

    Secondly, the return codes for “the image doesn’t exist” (404) and “the image exists but you can’t access it” (403) look to be different. This means that a logged in user can check whether a given filename (e.g. “epstien_and_trump_cuddling.jpg”) has been uploaded or not by any user.

    Both of these look to be pretty bad security issues, especially for a project touting its ability to protect from nationstates. Am I missing something?

    • hereforawhile@lemmy.mlOPEnglish
      1·
      5 hours ago
      1. I disclaim the opposite, I don’t tout its ability against nation states in the Readme.

      1. There are two checks for someone on the server to be able to view a post. First, are you a valid user? Then did the person sharing the photo give you access to view their posts? If both are true you can see the post. Also, on upload to the server, the image get compressed and stripped of any meta data including the file name…so no they couldn’t check a file name. Each photo is given a randomly generated filename.

      Edit.

      1. There can’t be any posts without images attached. There will always be a post and an image. (unless it’s a 1-1 DM or group chat) which has its own rules for access.