[Security Concern] Uploaded JSON files are publicly accesible at https://cdn.ilovejson.com/ about ilovejson HOT 9 CLOSED

@DiegoFleitas Thanks for the heads up!

Will fix it up soon.

from ilovejson.

The notice should be correct now we fixed the cron expression.
Good day

from ilovejson.

Until this issue is deal with I suggest people to use https://jsonformatter.org/csv-to-json
It's not open source but the FAQ states it only saves JSON files you explicitly click save on & warns the user that saved links are public unless logged in.

from ilovejson.

@DiegoFleitas Security concern has been solved now.

from ilovejson.

@DiegoFleitas Security concern has been solved now.

Hi Darshan, thanks for the update, but the issue has not been solved.
I've just tried it and the file is still uploaded publicly on your server after the 2 minutes mark.
It wasn't deleted after 2 minutes as the notice claims.
ex: https://www.ilovejson.com/downloads/csvtojson/1653240635437.json
@dr5hn

from ilovejson.

@DiegoFleitas Security concern has been solved now.

Hi Darshan, thanks for the update, but the issue has not been solved. I've just tried it and the file is still uploaded publicly on your server after the 2 minutes mark. It wasn't deleted after 2 minutes as the notice claims. ex: https://www.ilovejson.com/downloads/csvtojson/1653240635437.json @dr5hn

Following up since the URL I posted is not accesible anymore.
The majority of files uploaded seem to still be kept on your server as you can see with a simple request you get the data the uploaded file contained regardless how much time passes. You should know It is not honest to tell a user his data is deleted when it is not - and in some contexts might actually be illegal - I believe you are knowledgeable enough to do the right thing @dr5hn

from ilovejson.

@DiegoFleitas Thanks for your concern. I really appreciate you putting your time into finding security flows within the package.

I will update the notice and say "Your files will be publicly available until 2mins"

Regarding the old CDN server, I have deleted that server, That server doesn't exist anymore so the files are gone now.

I've migrated the app from Heroku to VPS and added a cronjob to delete uploaded files.

Configuration screenshot

I don't know why it didn't delete your files at the 2mins mark.

Can you help me on how do I solve this issue more efficiently?

from ilovejson.

Hey, glad you are working on this.
It seems your cronjob expression is not doing exactly what you want, instead of running every two minutes is written to run at minute 2. The correct expression would be
*/2 * * * *
Its a common error, I personally double check my cron expressions with something like https://crontab.guru/#/2_*_
@dr5hn

from ilovejson.

@DiegoFleitas Oh Man, My Bad! Thanks!

I've fixed the cron configuration!

Also can you please help me with updating the notice's wordings? What should it say?

from ilovejson.