Hi everyone, I have a question about the linux command line that uses text as an input. I'm making an service that will allow users to post files to my web server which will then copy that file (after a few checks) to the image server. The main way of communicating between my web server and my image server will be scp. However, I also want to maintain user filenames, so it would look like this:
>User posts their file to web server >Web server checks if the file is supported >Web server checks if file is under file size limit >Web server says OK and tries to send to image server >Web server runs ("scp " + filepath + " root@imageServer:~/images") >Image server receives the file and is ready to send the file to user on request (the folder is public and will be served by nginx)
the dangerous part here is the scp command. I'm not an expert on security, but is there a way that this command can get hijacked the same way a database can get SQL injection? What if somebody named their file to be malicious. Is there a way to safely join the filename to the script? To safely "escape" the command?
I'm using express (node.js) for the web server. Is there another way to send files from the web server to a simple Ubuntu install without unix commands or writing up a REST api for the image server? Is there is, then I might not need to "escape" at all
Btw, the reason why I'm choosing to have the image server and the web server separate is because I want to scale the application in the future. For example, if there were 10 web servers and no central image server, then it would be impossible to retrieve files if the file isn't on the web server you request from.
Please help me!
Benjamin Miller
Why are you using scp and not http or ftp?
Hudson Powell
Apparently ftp is really slow compared to scp, and http would require me to write up a REST api on the image server, which is something I want to avoid
Angel Bell
>I'm using express (node.js) for the web server Just give up
Nolan Davis
ftp is much faster then sftp
Oliver Jones
This tbhdesu. Go retake your certification course, user. You're a few years out of touch.
Ethan Powell
This
Austin Ortiz
Okay, sure ftp may be faster than sftp (duh), but I don't want to use ftp because it's slower than scp and because it's not secure! The last thing I want to do is jeopardize user security
Justin Allen
>Is there a way to safely join the filename to the script? To safely "escape" the command? Only allow characters in a whitelist to be part of the filename. For example, only alphanumerical characters and dots. Use this library to do these sorts of sanitization: github.com/validatorjs/validator.js
Benjamin Adams
a unix command can be a stirng but still be deadly. Turning the filename into a string is not what I want, what I want is to make sure somebody doesn't rm -rf my server
Jacob Rivera
>Is there a way to safely join the filename to the script? To safely "escape" the command? What I would do is disallow any non-alphanumeric characters except full-stops and also require that a filename contain at least one alphanumeric character. If you do this, it's impossible for any commands to be injected.
Nathaniel Smith
Okay here is the big question. Are you using this in production or is this a pet project? If you are using this production you should just kill your self now before the data breach and lawsuit.
Thomas Ortiz
What part of "alphanumerical characters and dots" did you not understand, you dense motherfucker?
Cameron Ortiz
I see the light now, thanks anons. I'm still hoping there is a better solution to this though...
Dominic Brown
Why scp to the image server as root? Just set up another dummy user for moving to the image server.
Escape control characters and quotes?
Elijah Brooks
I feel like you're approaching this whole thing awkwardly. What is wrong with using proven technologies and protocols that were designed for the express purpose of the things you're trying to achieve? The alternative sounds just like a bad hack. Say you want to go down the bad hack road, you'll certainly reach a limit and turn to write your own custom protocol for file transfer. If you're hell bent on using the command line, curl can handle anything http/https/ftp related provided you prepare the right backend to interact with it. It's back to designing board for you. p.s: You can base64 encode file names if you're afraid of maliciously crafted names
Ryan Howard
I believe you. But there are no current "image server" projects out there expect for Thumbor, which I have configured before realizing that it only supports pngs, jpgs, and gifs. I want to support webm and mp4...
And I really don't want to write a REST api to my image server
Nolan Phillips
>use a library to do a simple fucking alphanumeric regex you're the types of cunts that give JS a bad name. good fucking lord.
You should learn a thing or two about reutilizing code and using tools that do one thing well. Trying to implement things like crypto and sanitization by hand instead of using tried-and-true, battle-tested libraries is how people get owned in the first place.
Jacob Rivera
You should really check validator.js.
Kevin Morgan
so you are the idiot that was asking about how to make a REST api for images the other day? Look dude, you are just going to have to try whatever you are going to try, and see it fail. You are too retarded to learn any other way. SO just go for it and see what happens
