falcon icon indicating copy to clipboard operation
falcon copied to clipboard
verified publisher icon plotly

Make test databases obvious that they're test databases

Open scjody opened this issue 8 years ago • 2 comments

We received 3 reports of publicly accessible databases today, all referencing databases found in https://github.com/plotly/falcon-sql-client/blob/master/sample-storage/connections.yaml . I'm not sure why this is happening today but I suspect we've been indexed by a vulnerability search engine.

In order to stop people from reporting this issue, I've added it to our policy and scope document but not everyone will read that. Therefore I suggest doing all these things if possible:

  • [x] Add a comment to connections.yaml noting that these are all test databases that are intentionally public (see PR #232).
  • [x] ~~Buy a "plotly testing" domain and~~ Add all these sites to the test.plotly.host domain rather than using the default AWS DNS entries. ~~(Please don't add them to plot.ly since that actually is a security risk.)~~
  • [ ] Change table names and/or column names to include "testing"
  • [ ] If the site has a configurable header, add "Testing" to the header

@tarzzz @chriddyp Can someone please deal with this soon?

scjody avatar Nov 09 '17 21:11 scjody

We now own plotly.host, including test.plotly.host. DNS entries for the databases could be added under there.

scjody avatar Nov 17 '17 23:11 scjody

Re #335 #336

n-riesco avatar Jan 19 '18 14:01 n-riesco