There seems to be a possibility that users can upload images (can be pornographic.. ) to the Forem selfhost; get the generated links, don't publish them on Forem posts but distribute those links or webhost with those links.
The Forem administrators never know what is uploaded and what is being transferred out of our servers about those unpublished images unless we manually keep checking each image in the aws s3 bucket.
Even if we find any unwanted images in the s3 bucket, how do we know which user uploaded them, whom to hold responsible for.. and legally the administrators are at risk for hosting such content.
Is there any hot-linking protection such that all the unpublished images are deleted periodically?
Top comments (6)
I think the following hook could be used here:
I'm not sure if this functionality is missing in FOREM. But if not, it would probably be a good idea to open a feature request.
Have a nice day!
Yes, we've discussed this. Hasn't been implemented.
Images like this could be manually removed to prevent a certain type of abuse.
@ben hmm.. did this kind of attack ever happened on dev.to?
It has not. I suspect there are easier, more automatable attack vectors than this, but of course, that doesn't mean we shouldn't build in the fix.
Good that the world has been good till now.
Other attacks mean.. are you referring to DdoS(Distributed denial of Service)?
@9comindia i am sorry if i post some content that does not fit here. May i know how did u use the aws s3 bucket service? i am using the selfhost script, but the images uploaded by users are still in the disk, i can not find them on my aws bucket.