a3
a3 copied to clipboard
acterglobal
Handling of downloaded media is unsafe
Currently when a user wants to access some data, e.g. an image, in the chat we ask the SDK to give us mediaPath. If that fails, we can download it by doing:
https://github.com/acterglobal/a3/blob/ddef5c2e2f861e1652f82ffd9556609ff5e770cd/app/lib/features/chat/providers/notifiers/media_chat_notifier.dart#L62-L74
Now, the attentive reader probably asks itself: if we have to provide a specific path for the download and that is a temporary path ... how does mediaPath not require that parameter? Or even more specifically, what is the path we get out of that mediaPath? And the reader might become suspicious that we'd be storing and returning said temporary path in mediaPath.
And the reader would be correct:
https://github.com/acterglobal/a3/blob/ddef5c2e2f861e1652f82ffd9556609ff5e770cd/native/acter/src/api/room.rs#L1514-L1518
This is unsafe for several reasons:
- the data contained in download could be encrypted data. As we clearly are not clearing the file after reading it (or the entire
mediaPath-thing wouldn't work in the first place), that means we are keeping data in plain at rest. That is not okay. - As this is a temporary path, it can be cleared at any point. Storing this path is unsafe as it could have been cleared at any time. Such a path should never be stored on the client side.
