strapi-provider-upload-azure-storage icon indicating copy to clipboard operation
strapi-provider-upload-azure-storage copied to clipboard

Published 20 hours ago verified publisher icon jakeFeldman

Contributing

Open kevinvugts opened this issue 1 year ago • 5 comments

Hi Jake,

I've read your message on the readme. I was wondering if this plugin is supporting secured upload urls.

So, like in Amazon you have signed url's to get the download, image or video to prevent unauthorized access.

If not, we could check if this is possible with Azure Blob storage together. And also, since this repo has not been maintained for over 7 months, to upgrade it to support the latest strapi etc..

Cheers, KEvin

kevinvugts avatar Sep 07 '23 07:09 kevinvugts

Hello @kevinvugts thanks for reaching out. Azure uses SAS (Shared Access Signature) vs presigned urls. We merged some changes (https://github.com/jakeFeldman/strapi-provider-upload-azure-storage/pull/64 and https://github.com/jakeFeldman/strapi-provider-upload-azure-storage/pull/67) to support SAS tokens but it could use some clean up and better testing. Specifically images were not rendering inside the strapi dashboard.

I would welcome some PRs to help solidify this. LMK if this is something you're interested in working on.

My time to support this is small. I don't work with Strapi or Azure too frequently anymore so any help I can get to keep the package up to date would be awesome.

Thanks

jakeFeldman avatar Sep 09 '23 03:09 jakeFeldman

Hey @jakeFeldman, first of all thanks for this awesome plugin 👍 I tried getting touch with you in your website, but the contact form unfortunately seem to not be working at the moment. So I wanted to contact you here.

I am working with strapi very often and this plugin is really helpful now that I am working with Azure as well. Are you still looking for maintainers? I would be interested in helping you maintining this project :).

This PR for example: https://github.com/jakeFeldman/strapi-provider-upload-azure-storage/pull/72 is a feature would be great for me. I would be glad to help you maintaining the project, so we can merge features like that.

Let me know if you interested 👍

Best regards, Lucas Ramos

ls-ramos avatar Sep 15 '23 15:09 ls-ramos

Hey @ls-ramos thanks for reaching out. Also, thanks for letting me know the contact form on my site is down. I'll get that fixed 😅

Yes I am still looking for help to maintain the package and keep it current. Do you mind taking a look at the PR and making sure everything works e2e? I haven't worked with ManagedIdentities in Azure so someone more familiar would be good.

Thanks and look forward to working with you.

Jake

jakeFeldman avatar Sep 15 '23 20:09 jakeFeldman

Hi @jakeFeldman

Just a question regarding your current effort so far. It looks like you currently upload the file url containing the sass token (if any in the config.js) to the database directly.

This means if you have a create,read,update,delete sass token this will be publicly present in the db table "Files". So when you call strapi from a front-end app you get this file url including the sass token.

Isn't this in terms of security quite a leak? I mean, in my opinion it would be better to upload the plain url that doesn't contain the sass token. And as soon as you want to load the image from the media library or front-end app you include the "?" parameter with the sass token specifically meant for the client that is calling it with appropiate permissions.

After inspecting your plugin more thourougly it also looks like you don't export the getSignedUrl() and isPrivate() functions in the plugin interface. Is there any specific reason for this? (https://docs.strapi.io/dev-docs/providers)

Could you elaborate more on this?

In addition to the above, I would like to raise a bug in strapi "4.12.5". I don't think this is related to your plugin, but I just wanted to make sure it isn't. Currently the file is uploaded as expected including the sass token and such to the database. However, when I open the media library in strapi admin panel, an addition "?" is added at the end of the url. Which is currently causing an error with the signature validation and fails with a 403 not displaying the image in the media libary.

Is this something that happens on your side as well? Please let me know!

kevinvugts avatar Nov 27 '23 10:11 kevinvugts

@kevinvugts if the key allows CUD operations and is saved to the db then this would pose a security concern. Have you confirmed that the sas token is saved in the database. Full transparency I never used this package with a sas token and was added by an external contributor.

After inspecting your plugin more thourougly it also looks like you don't export the getSignedUrl() and isPrivate() functions in the plugin interface. Is there any specific reason for this? (https://docs.strapi.io/dev-docs/providers)

These are newer methods and did not exist in version 3 when I created this plugin. Theres no reason not to implement them. I've posted before that I dont have a lot of bandwidth to manage this package. Do you have the bandwidth to investigate and make the needed updated to ensure this isnt a security concern?

If you would like to have a more active role in managing the package I would welcome the contributions.

Thanks

jakeFeldman avatar Dec 04 '23 00:12 jakeFeldman