Coder Social home page Coder Social logo

nning / imgshr Goto Github PK

View Code? Open in Web Editor NEW
7.0 5.0 1.0 8.85 MB

Simple image gallery sharing web application.

License: GNU Affero General Public License v3.0

Ruby 54.38% JavaScript 23.65% CoffeeScript 0.55% HTML 0.80% Shell 1.74% Dockerfile 0.76% PLpgSQL 0.32% SCSS 3.04% Sass 0.66% Haml 14.05% Procfile 0.05%
gallery ruby rails image-sharing

imgshr's People

Contributors

dependabot-preview[bot] avatar dependabot[bot] avatar depfu[bot] avatar nning avatar snyk-bot avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar

Forkers

ingobecker

imgshr's Issues

Dependabot couldn't reach https://rails-assets.org/ due to underlying error <too many connection resets (https://rails-assets.org/specs.4.8.gz)> as it timed out

Dependabot couldn't reach https://rails-assets.org/ due to underlying error <too many connection resets (https://rails-assets.org/specs.4.8.gz)> as it timed out.

Is https://rails-assets.org/ due to underlying error <too many connection resets (https://rails-assets.org/specs.4.8.gz)> accessible over the internet? If it is then this may be a transitory issue and can be ignored - Dependabot will close it on its next successful update run.

View the update logs.

Thumbnails for encrypted galleries

Create Thumbnails for encrypted images on the client side. This might speed up the loading of galleries as well as save users of mobile plans some of their valuable bytes.

Set secure headers by the webserver

secure_headers is a good way to ship imgshr with some protection by default, but i think it might be more secure to set those headers outside the scope of the web application code. In case of a remote code execution it is possible for an attacker to remove or override the headers. If the headers are supplied by a webserver configuration which isn't modifiable by the application code, removal or modification can be prohibited.
The goal should be to prevent js code from being injected. Modification or removal of the headers leads to the possiblity to inject js code. So far, the only way to extract the client side encryption key from the localStorage is by injecting malicious js code.

non docker deployment

Is it possible/is there a how to on deploying this to a shared hosting environment that does not have docker?

qrcode not shown

If i open the "gallery info" modal for the first time i visited a gallery, there is only shown "QR" instead of an actual qrcode. If i close the modal window and open it again, the qrcode is shown as expected. This only affects the normal qrcode for sharing a gallery link.

Client side encryption key sharing by URL

Sharing keys for client side encryption is done by attaching them to the hash part of a gallery URL. This solves the problem of including the key into URL and preventing the browser from sending it to the server while visiting it.

Following problems arise by doing so:

  1. The hash part is saved in the global browser history and it seems that there is nothing that could be done about it from a programmers point of view.

  2. It is very easy to leak the key for example by pasting it online, using link shorteners etc.

One way to deal with it, might be to display a warning that points out those problems, if a user tries to share the key by URL.

Possible paths to a URL with a key in it should be minimized.

In case a user visits a URL with a key in it, the hash must be removed from the URL by js immediately to minimize the risk of the user to paste a leaky url.
Also a flash msg should be shown which says something like "please clean your history" every time a URL is visited that contains a key.

Another solution could be to only "allow" key sharing by URL via a qrcode. Simply remove all ways from the site that gives the user access to a URL with a key in it. This prevents the user from pasting it to the wrong location.

The qrcode should only be shown if the user explicitly demands for it and it should be the only qrcode that is shown in this case. It is very easy to confuse the qrcode with- and without the key.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.