Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

circumventing get and post request popup #883

Open
jeanahelver opened this issue Aug 10, 2020 · 4 comments
Open

circumventing get and post request popup #883

jeanahelver opened this issue Aug 10, 2020 · 4 comments
Labels
Security Relating to protecting users or data

Comments

@jeanahelver
Copy link

any component with a Uri can be used to send data from logix to a server without prompting the user the server request.

its not really an issue but could be used for circumventing the whitelist, as you could send data back as part of garbage files like the resolution of a texture.
@Frooxius
Copy link
Collaborator

This doesn't really let you circumvent the system, because you can't make arbitrary GET and POST requests to given end point. The system will only attempt to download an asset, which you can register, but you can't attach any significant payload (other than the URL itself).

Loading assets from web sources could be limited in some way, but question is where to draw the line. You can import pictures and videos from various web sources. We could make a limited list of allowed ones, but that would severely reduce the functionality, so it's mainly question of how big of a concern it really is.

@Frooxius Frooxius added the Security Relating to protecting users or data label Aug 10, 2020
@Psychpsyo
Copy link
Contributor

Couldn't there be a solution where the user who spawns an image/video requests it from the server and then distributes it to everyone else in the session, similar to how local file imports are handled right now?

@Frooxius
Copy link
Collaborator

Frooxius commented May 8, 2021

@Psychpsyo Hmm that might actually be a good solution. Although video streaming would be tricky one, since that would be a bit more involved to relay all the traffic somehow (that's handled by the streaming library), it would have to be tunneled somehow, but even doing it for most other assets could be a benefit there.

@AshtonSparx Because it's not a bug and not super practical method. You can't really mine anything you couldn't get otherwise by just being in the session with the user. You load tons of pictures and assets and other resources on the web from all sources every day. We can look into ways to mitigate this, like @Psychpsyo proposed, but unless you want to block functionality to import a lot of the web content into Neos completely (maybe for a few whitelisted URLs), it's not something you "fix".

@jeanahelver
Copy link
Author

small update to this, can now send data back into neos as a string using the subtitle animation without user prompt.
stuffing the "payload" into a srt file.

@Psychpsyo Psychpsyo mentioned this issue Mar 28, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security Relating to protecting users or data
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Frooxius @jeanahelver @Psychpsyo