Comment

Comment on Probably want to stop using Booklore...

PoliteDudeInTheMood@lemmy.ca ⁨3⁩ ⁨weeks⁩ ago

It’s not, the second I cloned it and gave codex access it found a whole whack of privacy issues. This was 100% human coded

source

Sort:hotnew top

fccview@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
degoog Dev here, definitely not vibecoded. Would you be able to tell me all these whack of privacy issues? I thought I had everything covered, but if you found something concerning it’d be nice to know before I get it out of beta :)

source
- PoliteDudeInTheMood@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago
  Fixed credential-exfiltration risk in /api/proxy/image: Previously the endpoint could:
  
  accept arbitrary auth_id
  
  load stored API keys
  
  forward them to attacker-controlled URLs
  
  Enforced outbound host allowlist globally Previously:
  
  allowlist existed
  
  but outgoingFetch() didn’t enforce it
  
  plugins/engines could bypass it
  
  Fixed extension store path traversal Previously a malicious store manifest could:
  
  inject … paths
  
  escape install directories
  
  reference arbitrary files
  
  Hardened proxy IP trust Previously:
  
  rate limiting trusted any X-Forwarded-For header
  
  clients could spoof their IP
  
  Fixed inconsistent settings authentication Previously:
  
  settings UI stored an auth token
  
  but the settings modal didn’t send it when saving
  
  Implemented Improved proxy deployment support
  
  Added proxy-aware behavior:
  
  DEGOOG_PUBLIC_BASE_URL for canonical URLs
  
  secure cookie handling when X-Forwarded-Proto=https
  
  Additional Improvements:
  
  suggestion fetching hardened
  
  DuckDuckGo suggestion parsing fixed
  
  unified outbound request handling
  
  install state guard properly cleaned up
  
  source
  - fccview@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    Thanks, I’ll individually look into all of these ♥️ I’ll say some of them are more conscious compromises for the sake of an open scalable system where third party extensions can truly edit anything (intentionally) and everything around Auth/secure cookie is also fairly lax due to the fact the Auth is just a protection for the settings (which literally stop the settings from being served by the client), in the moment I decide to add some more structured Auth system/maybe users I’ll look into proper secure cookie handling.
    
    This is an awesome report, thank you so much for sharing it!!!
    
    source
  - fccview@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    Hey sorry for the delay, dealing with a lot right now, but I didn’t forget about it.
    
    1 - Fixed this, the api key is now only forwarded if the destination hostname matches the plugin’s stored url. 2 - As I was saying, the allowlist is opt-in by design (null = allow all), and plugins legitimately need to make arbitrary outbound requests. Enforcing it globally would break the plugin system. 3 - Fixed this, it was quite simple 4 - I have added an env var (DEGOOG_DISTRUST_PROXY), if set to true it’ll make it so all users share the same rate limit regardless of their IPs, I left it as an opt in as most users currently running it are only keeping it private behind their own in house reverse proxies. This will be handy for a public instance for example 5 - Extension settings modal now correctly sends x-settings-token on save. 6 - As I said, auth is intentionally lax until a more structured auth system is added, may need to be a few weeks after stable is live, after all there’s no real auth and the setting password protected and private view should be secure enough as it is
    
    btw all this is not live yet, it’ll be sent live with the next release ♥
    
    source