glsl-sandbox icon indicating copy to clipboard operation
glsl-sandbox copied to clipboard

Published 20 hours ago verified publisher icon mrdoob

Spam

Open greggman opened this issue 1 year ago • 14 comments

People suck! You try to do something nice and someone always and without fail shits all over you 😢

Screenshot 2024-01-05 at 16 07 09

greggman avatar Jan 06 '24 00:01 greggman

Thank you for the heads up. I'm trying to clean up.

jfontan avatar Jan 06 '24 02:01 jfontan

I believe I've cleaned up most of it. The service is up again.

jfontan avatar Jan 06 '24 02:01 jfontan

I'll close it tomorrow if I can't find any more entries like that.

jfontan avatar Jan 06 '24 02:01 jfontan

It happened again. I took down the page while I find time to clean up and add a check to somehow alleviate it. Today I believe I won't have time to do it.

jfontan avatar Jan 06 '24 15:01 jfontan

It happened again. I took down the page while I find time to clean up and add a check to somehow alleviate it. Today I believe I won't have time to do it.

What is this exploit exactly and how are you going to patch it?

Is there going to be an ETA on when the site is going to be back up?

Skoopyy avatar Jan 06 '24 16:01 Skoopyy

so the exploit works by just spamming shader upload form (POST https://glslsandbox.com/e). and i think the best way to fix this would be to add a captcha (cloudflare turnstile for example) to the shader upload form...

Memexurer avatar Jan 06 '24 16:01 Memexurer

so the exploit works by just spamming shader upload form (POST https://glslsandbox.com/e). and i think the best way to fix this would be to add a captcha (cloudflare turnstile for example) to the shader upload form...

good idea but is there any downsides to this?

Skoopyy avatar Jan 06 '24 17:01 Skoopyy

good idea but is there any downsides to this?

i dont think so? you can read more about turnstile here: https://www.cloudflare.com/products/turnstile/

Memexurer avatar Jan 06 '24 17:01 Memexurer

@Skoopyy

It's strange that your user appears in the payload in some of the spammy effects:

VERY GOOD SHADER t.me/telegrosik - skoopyy on discord

jfontan avatar Jan 07 '24 20:01 jfontan

@Memexurer I would use captcha just as last resort. This adds friction to users and I prefer to find other ways before resorting to that.

Immediate things I plan to do:

  • Clean up the actual spam
  • Add a read only mode so people can access it but not upload new effects
  • Bring up the page with a notice saying that effects cannot be added or modified

The big problem is letting the clients create new effects without rate limit. This let the spammer generate 250k effects very fast.

I'm planning as first step adding a rate limit per client and give error if it is sending too many effects in a short time. I also plan to do the same when the payload is equal or similar but this will be done afterwards.

@mrdoob what do you think?

jfontan avatar Jan 07 '24 21:01 jfontan

@Skoopyy

It's strange that your user appears in the payload in some of the spammy effects:

VERY GOOD SHADER t.me/telegrosik - skoopyy on discord

Very strange indeed...

Skoopyy avatar Jan 08 '24 00:01 Skoopyy

@jfontan considering the nature of the site, maybe we could add Github Oauth?

mrdoob avatar Jan 08 '24 04:01 mrdoob

@jfontan considering the nature of the site, maybe we could add Github Oauth?

I'll take a look at how this can be implemented.

jfontan avatar Jan 08 '24 18:01 jfontan

The underlying idea being that if we save the user for each effect, we could potentially report the spammy users to Github so they get banned 🤔

mrdoob avatar Jan 08 '24 21:01 mrdoob