oat/in-the-database-2
oat
/
in-the-database-2
1
1
Fork 1
Code Issues 6 Pull Requests Releases Activity

the uploads are JANKY as SHIT #1

New Issue
Open
opened 2020-09-02 18:35:16 +00:00 by oat · 7 comments
oat commented 2020-09-02 18:35:16 +00:00
Owner
Copy Link

there are barely any checks for it
the .sm file can be anywhere other than the root, there can be more than one and it doesnt check if the .sm file is even properly structured
so anyone can upload just a garbage .sm file and itll be published just fine
this is mainly a problem with the parser, the zip .sm searching can be fixed relatively easily but as of now the uploading system is held together by duct tape

there are barely any checks for it the .sm file can be anywhere other than the root, there can be more than one and it doesnt check if the .sm file is even properly structured so anyone can upload just a garbage .sm file and itll be published just fine this is mainly a problem with the parser, the zip .sm searching can be fixed relatively easily but as of now the uploading system is held together by duct tape
oat commented 2020-09-05 01:06:36 +00:00
Author
Owner
Copy Link

file checks:

  • check zipbombs and invalid formats
  • fix zipbomb errors
  • make 2 .sms make an upload invalid
  • check if .sm is at the root OR in a folder at the root (only if the root has no other folders)
  • don't upload malformed .sms
  • implement a ratelimit

database checks:

  • check if theres already a song with the same artist and title (nevermind, bad idea)
  • check if theres already a file with the same checksum

other checks:

  • upload as unlisted by default, let client edit the file properties after its uploaded
file checks: - [x] check zipbombs and invalid formats - [x] fix zipbomb errors - [ ] make 2 .sms make an upload invalid - [ ] check if .sm is at the root OR in a folder at the root (only if the root has no other folders) - [ ] don't upload malformed .sms - [ ] implement a ratelimit database checks: - [x] ~~check if theres already a song with the same artist and title~~ (nevermind, bad idea) - [x] check if theres already a file with the same checksum other checks: - [ ] upload as unlisted by default, let client edit the file properties after its uploaded
oat commented 2020-10-12 01:11:45 +00:00
Author
Owner
Copy Link

zipbombs shouldnt work, ive looked into how basic zipbombs work and they shouldnt affect itdb2

zipbombs shouldnt work, ive looked into how basic zipbombs work and they shouldnt affect itdb2
oat commented 2020-11-07 01:07:48 +00:00
Author
Owner
Copy Link

i ran a 10gb zipbomb on it, and wowee! it errors and crashes
doesnt seem like it does any permanent damage though, only an unhandled "bad archive" error
https://github.com/bones-codes/bombs/raw/master/archives/10GB/10GB.zip.bz2

i ran a 10gb zipbomb on it, and wowee! it errors and crashes doesnt seem like it does any permanent damage though, only an unhandled "bad archive" error https://github.com/bones-codes/bombs/raw/master/archives/10GB/10GB.zip.bz2
oat commented 2020-12-26 20:13:55 +00:00
Author
Owner
Copy Link

oh fun!! this error is unsolvable unless i use a different library
that is exactly what im going to do

oh fun!! this error is unsolvable unless i use a different library that is exactly what im going to do
oat commented 2020-12-26 20:26:50 +00:00
Author
Owner
Copy Link

88fc57d should have fixed the above error, although im not entirely sure whether its a valid zip
ill try with a few more zipbombs

88fc57d should have fixed the above error, although im not entirely sure whether its a valid zip ill try with a few more zipbombs
oat commented 2020-12-26 20:31:08 +00:00
Author
Owner
Copy Link

it seems to not be that affected, as long as i apply enough ratelimits it shouldnt be possible to do a DoS using zipbombs, as it does sort of increase the memory temporarily
i think i can mark that off as fixed

it seems to not be that affected, as long as i apply enough ratelimits it shouldnt be possible to do a DoS using zipbombs, as it does sort of increase the memory temporarily i think i can mark that off as fixed
oat commented 2020-12-26 20:39:27 +00:00
Author
Owner
Copy Link

88fc57da82 does md5 checksum checking and duplicate file prevention

88fc57da822b0dd5c444d0eeafcb5b9244beb7ab does md5 checksum checking and duplicate file prevention
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No Label
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: oat/in-the-database-2#1
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?