mia
/
0x0
3
8
Fork 3
Code Issues 11 Pull Requests 2 Projects Releases Wiki Activity

Randomized URL path? #31

New Issue
Closed
opened 2020-11-28 02:52:17 +01:00 by tddschn · 6 comments
tddschn commented 2020-11-28 02:52:17 +01:00 (Migrated from github.com)
Copy Link

Sometimes I upload 2 files in a short period of time to 0x0.st and the returned URLs would be like https://0x0.st/aAAA.sh and https://0x0.st/aAAB.sh - if I upload a .sh file again, it would be https://0x0.st/aAAC.sh.

I don't think it's a very good idea from a security perspective to use sequential:

  • An attacker can get a URL by uploading a file, and try to guess the file extensions of following URLs since the number of extensions is fairly limited. If the guess works, the attacker gains access to files that are not meant for her / him.

I also use file.io for file sharing and it seems that file.io returns randomized URLs like file.io/x0S9aORy8O2c, and returns a completely different URL for the next upload, which feels more secure.

You can test file.io with curl -F file=@<path-to-the-file>" "https://file.io/?expires=1d".

Sometimes I upload 2 files in a short period of time to 0x0.st and the returned URLs would be like `https://0x0.st/aAAA.sh` and `https://0x0.st/aAAB.sh` - if I upload a .sh file again, it would be `https://0x0.st/aAAC.sh`. I don't think it's a very good idea from a security perspective to use sequential: - An attacker can get a URL by uploading a file, and try to guess the file extensions of following URLs since the number of extensions is fairly limited. If the guess works, the attacker gains access to files that are not meant for her / him. I also use file.io for file sharing and it seems that file.io returns randomized URLs like `file.io/x0S9aORy8O2c`, and returns a completely different URL for the next upload, which feels more secure. You can test file.io with `curl -F file=@<path-to-the-file>" "https://file.io/?expires=1d"`.
rany2 commented 2020-12-30 14:29:29 +01:00 (Migrated from github.com)
Copy Link

I'm not in favor if this became default. Having it work like that if the URL had ?private=1 or something of the sort would be better.

I'm not in favor if this became default. Having it work like that if the URL had `?private=1` or something of the sort would be better.
tddschn commented 2020-12-30 16:07:30 +01:00 (Migrated from github.com)
Copy Link

What are your reasons? @rany2

What are your reasons? @rany2
rany2 commented 2020-12-30 17:19:46 +01:00 (Migrated from github.com)
Copy Link

@tddschn Keeping the URL short and easy to type.

@tddschn Keeping the URL short and easy to type.
tddschn commented 2020-12-30 17:36:40 +01:00 (Migrated from github.com)
Copy Link

Yeah that makes sense @rany2.
But randomized URLs can also be short and easy to type. :)

Yeah that makes sense @rany2. But randomized URLs can also be short and easy to type. :)
ralyodio commented 2021-01-18 12:19:41 +01:00 (Migrated from github.com)
Copy Link

checkout nanoid

checkout nanoid
1480c1 commented 2021-01-18 21:32:35 +01:00 (Migrated from github.com)
Copy Link

I don't think having a randomized url really influences security considering that 0x0 there's no access control in general and has no way to set a link to be expiring or unusable after one click, as compared to file.io.

Plus, I've seen more people use 0x0 to share small stuff like patch files and sample video clips etc than use it for confidential sharing. If you are looking for something like that, maybe something like https://github.com/schollz/croc or even ipfs might be a better choice (if limited to open source tools) since for croc, it's a one-time transfer (although you lose the URL access) and for ipfs, I think it would be harder to guess a hash as compared to a URL and you can choose to delete or add whenever you want, at least locally, not entirely sure if I grasp ipfs so I could be wrong.

I don't think having a randomized url really influences security considering that 0x0 there's no access control in general and has no way to set a link to be expiring or unusable after one click, as compared to file.io. Plus, I've seen more people use 0x0 to share small stuff like patch files and sample video clips etc than use it for confidential sharing. If you are looking for something like that, maybe something like https://github.com/schollz/croc or even ipfs might be a better choice (if limited to open source tools) since for croc, it's a one-time transfer (although you lose the URL access) and for ipfs, I think it would be harder to guess a hash as compared to a URL and you can choose to delete or add whenever you want, at least locally, not entirely sure if I grasp ipfs so I could be wrong.
👍 1
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
Labels
Clear labels   
bug

   
duplicate

   
enhancement

   
help wanted

   
invalid

   
question

   
wontfix
No Label
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: mia/0x0#31
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?