the uploads are JANKY as SHIT

oat commented

2020-09-02 18:35:16 +00:00

Owner

there are barely any checks for it
the .sm file can be anywhere other than the root, there can be more than one and it doesnt check if the .sm file is even properly structured
so anyone can upload just a garbage .sm file and itll be published just fine
this is mainly a problem with the parser, the zip .sm searching can be fixed relatively easily but as of now the uploading system is held together by duct tape

there are barely any checks for it the .sm file can be anywhere other than the root, there can be more than one and it doesnt check if the .sm file is even properly structured so anyone can upload just a garbage .sm file and itll be published just fine this is mainly a problem with the parser, the zip .sm searching can be fixed relatively easily but as of now the uploading system is held together by duct tape

oat commented

2020-09-05 01:06:36 +00:00

Author

Owner

file checks:

check zipbombs and invalid formats
fix zipbomb errors
make 2 .sms make an upload invalid
check if .sm is at the root OR in a folder at the root (only if the root has no other folders)
don't upload malformed .sms
implement a ratelimit

database checks:

~~check if theres already a song with the same artist and title~~ (nevermind, bad idea)
check if theres already a file with the same checksum

other checks:

upload as unlisted by default, let client edit the file properties after its uploaded

file checks: - [x] check zipbombs and invalid formats - [x] fix zipbomb errors - [ ] make 2 .sms make an upload invalid - [ ] check if .sm is at the root OR in a folder at the root (only if the root has no other folders) - [ ] don't upload malformed .sms - [ ] implement a ratelimit database checks: - [x] ~~check if theres already a song with the same artist and title~~ (nevermind, bad idea) - [x] check if theres already a file with the same checksum other checks: - [ ] upload as unlisted by default, let client edit the file properties after its uploaded

oat commented

2020-10-12 01:11:45 +00:00

Author

Owner

zipbombs shouldnt work, ive looked into how basic zipbombs work and they shouldnt affect itdb2

oat commented

2020-11-07 01:07:48 +00:00

Author

Owner

i ran a 10gb zipbomb on it, and wowee! it errors and crashes
doesnt seem like it does any permanent damage though, only an unhandled "bad archive" error
https://github.com/bones-codes/bombs/raw/master/archives/10GB/10GB.zip.bz2

i ran a 10gb zipbomb on it, and wowee! it errors and crashes doesnt seem like it does any permanent damage though, only an unhandled "bad archive" error https://github.com/bones-codes/bombs/raw/master/archives/10GB/10GB.zip.bz2

oat commented

2020-12-26 20:13:55 +00:00

Author

Owner

oh fun!! this error is unsolvable unless i use a different library
that is exactly what im going to do

oh fun!! this error is unsolvable unless i use a different library that is exactly what im going to do

oat commented

2020-12-26 20:26:50 +00:00

Author

Owner

88fc57d should have fixed the above error, although im not entirely sure whether its a valid zip
ill try with a few more zipbombs

88fc57d should have fixed the above error, although im not entirely sure whether its a valid zip ill try with a few more zipbombs

oat commented

2020-12-26 20:31:08 +00:00

Author

Owner

it seems to not be that affected, as long as i apply enough ratelimits it shouldnt be possible to do a DoS using zipbombs, as it does sort of increase the memory temporarily
i think i can mark that off as fixed

it seems to not be that affected, as long as i apply enough ratelimits it shouldnt be possible to do a DoS using zipbombs, as it does sort of increase the memory temporarily i think i can mark that off as fixed

oat commented

2020-12-26 20:39:27 +00:00

Author

Owner

88fc57da82 does md5 checksum checking and duplicate file prevention

88fc57da822b0dd5c444d0eeafcb5b9244beb7ab does md5 checksum checking and duplicate file prevention

the uploads are JANKY as SHIT #1