Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Documentation on how to prevent anyone from uploading files

See original GitHub issue

This may be already solved, or considered trivial by more experienced people, but I just want to host documentation for a project of mine.

If I now host my Docat website and link to a project, any user could click the home icon: and then upload anything, since that does not require a token of any sort, if the version name is different: besides this being a possible security risk I also don’t want anyone to be able to upload files.

Otherwise, anyone would also be able to upload files using curl:

curl -X POST -F "file=@malicious-archive.zip" http://localhost:8000/api/existing-project/none-existing-version

Either there is some obvious difference between my localhost website and a public one, but if anyone can also upload files from anywhere, I think this should be solved?

Issue Analytics

State:
Created a year ago
Comments:6 (2 by maintainers)

Top GitHub Comments

1reaction

cocoonkidcommented, Apr 15, 2022

I recommend you use Authelia or something similar to easily manage access.

This is not really in the project scop imho.

0reactions

fliiiixcommented, Aug 7, 2022

@feefladder you where on the right track but there is not really a need to build your own container. There preferred solution to this problem is to host the docker container behind a reverse proxy where you can implement basic auth or what ever else of restrictions you want to have.

And the other option is to override and adjust the NGINX config inside the docker container. I documented both in the wiki for future use: https://github.com/docat-org/docat/wiki/HTTP-Basic-Auth