Comments (4)
caronc
commented on August 22, 2024
Hmm... One thing you could do is park an NginX server in-front of your webpage and strip off any kwargs passed in?
Alternatively do you think it would be better to have 2 separate URLS... or maybe a global system variable you can specify that turns this off when set (like an ALWAYS_PRIVACY_MODE=1)?
There is also the /get/{key} which returns the URLs so they can be used by the external apprise CLI (remotely). So setting this suggested flag would have to disable this too...
Thoughts?
from apprise-api.
n1nj4888
commented on August 22, 2024
Hi @caronc - The use of a global variable such as ALWAYS_PRIVACY_MODE=1 forcing all passwords to be obscured in GET calls / any response data sounds like a good idea
from apprise-api.
caronc
commented on August 22, 2024
I know it's been a very long time since I've looked at this, but I've finally had time to. But while doing it, i saw that there were quite a few flaws with the request and I wanted to bounce them off you to see if it was still worth changing up how we could handle this.
First off; i think the problem here is the fact that anyone can change the URL http://localhost:8000/json/urls/{token}?privacy=1 to http://localhost:8000/json/urls/{token}?privacy=0. I get this. But if I were to force the privacy to always be 1 the same attacker could also just extract your configuration from http://localhost:8000/cfg/{token} (which is your Configuration Screen itself in the API); it's also the location referenced by the CLI tool --config option (if you're using it). So this PRIVACY_MODE would also have to disable the these 2 features when set. Was this kind of what you're going for?
- Someone would set up their Apprise Configuration in the API and then shut it down.
- They would then set an agreed upon Environment Variable; This setting would then disable:
- The
--config=option from the Apprise CLI (disabling it); but you can still use theapprise://plugin recently added as an alternative (coming out in the 0.9.6 release). - The Configuration tab from the GUI
- The
/json/urls/{token}/would continue to operate (but enforcing privacy mode always
- The
This would probably resolve #46 as well since you would no longer be able to update your configuration anymore with this shared global variable.
Does this make sense? What are your thoughts?
from apprise-api.
caronc
commented on August 22, 2024
Just letting you know the last PR should solve all of your very valid issues you pointed out! 👍
from apprise-api.
Related Issues (20)
- Apprise & IPv6 HOT 14
- Add a configuration option for attachment limit HOT 4
- Tags AND, OR logic not working as expected HOT 8
- Question about inconsistency in the tag(s) parameter for apprise-api HOT 2
- Prometheus endpoint HOT 2
- Groups are not working with Apprise-API HOT 1
- docker compose error HOT 2
- Add Prometheus Metrics HOT 1
- Does the api support ntfy file attachments? HOT 10
- django.request: Failed Dependency Explanation HOT 4
- receiving outside web hook messages HOT 19
- Signal using curl: django.request: Failed Dependency: /notify/apprise HOT 6
- Errors in the CURL examples in configuration overview HOT 2
- Telegram: Is there a way for it to ignore all tags? HOT 13
- Webinterface Notification panel report "Bad Attachment" when none as been chosed HOT 5
- Bad Request: /notify/apprise in Docker HOT 2
- A typo in apprise-api website HOT 4
- Refactor General Display of Loaded URLs HOT 11
- Bad attachment warning for attachments > 10 MB HOT 8
- Can I customize or map [title] and [body] these two request parameters? HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from apprise-api.