[FEATURE] Mechanism for prevent spam gov #29
Comments
|
It might be worth looking into adding CSRF & XSS "safe-html encoding" protection to the system processing the contents of gov proposals to try to block some of the phising attacks aimed at our users? :) |
ZaradarBH
added
the
out of scope
ZaradarBH
changed the title
|
Hi since this is something I'd been thinking about here is a medium article to outline a possibility. |
|
Formatting updated and acceptance criteria added. |
|
So I and @edk208 looked it up. A minimum initial deposit for gov props is available in Cosmos SDK since v0.47. So if we don't update the SDK to that version in the mid-term, then we would have to backport it to get it... |
|
Hi, I hope this is the right place to ask, but wouldn't it be also helpful to enhance the matching pattern for external links in a gov proposal to match any string that would be recognized as an URL by a common browser? I did a fast check and it seems that any string that consists of "the usual letters" (a-z, umlauts, accents etc.) and dots, followed by a valid TLD, is considered a domain name. Thus any such string, maybe followed by a Right now scam proposals with "links" to malicious sites like "www.v2Terra.de" still show up regularly. I think enhancing the matching pattern for external links could stop those, since the scammers would not have an easy way to point inexperienced users to their websites anymore. Regards, |
|
@letorbi, I have a pending PR with TFL station (stationmoney/station#159) that attempts to expand the regex used for detecting URL patterns initially established by the implementation of governance prop 7101. Part of the challenge here is dealing with obfuscated URL patterns as well (www. v2terra. de) with spaces, etc. while not overmatching (e.g. something like "LUNC is great. Be sure to participate!", where "great. be" might considered a "valid" domain obfuscated by whitespace. If we omit obfuscation, the regex simplifies, but the risk is that we end up with a similar volume of spam props with newly-obfuscated URL patterns. Arguably, most modern browsers won't accept URLs with whitespaces, so perhaps the obfuscation approach would be a zero-sum game to those attempting to put forward spam proposals and we would see a natural attrition of these spam props given the lack of economic viability. Furthermore, Interchain station has not currently adopted the URL obfuscation changes in 7101, but I'll be keeping an eye on how that develops with the pending PR and see if another PR might be warranted. At the L1 level, URL regex detection might be possible, but great care is warranted to not overmatch. |
|
The Terra Station repo is indeed the better place to ask ;) However, it is great to see that a PR regarding my idea already exists. I'll write there, if I have any suggestions regarding the regex or anything else. Thanks for your work, I hope it gets merged. |
|
Not directly L1 related, but stationmoney/station#202 has been submitted to Station to improve end-user education around mnemonic security and (hopefully) limit the effectiveness of external URL links in gov proposals for spam purposes. |
|
This issue has been rescoped to only focus on the proposal itself, the POC work has been moved here: #41 |
|
@fragwuerdig told me Classy has already authored the propsal. So there is really no reason for us to do more on this subject. Will close this issue as the remaining work is done in #41 |
Problem definition
Currently, we have many spam/scam gov proposals. We should have a mechanism to prevent those.
Feature specification
Add initial deposit requirement for proposals, when the user wants to submit a proposal, they need to deposit a part of the government-required deposit.
Acceptance Criteria
Additional context
The text was updated successfully, but these errors were encountered: