Forem Creators and Builders

Cover image for is Forem protected against hot-linking of images?
9comindia
9comindia

Posted on • Updated on

is Forem protected against hot-linking of images?

There seems to be a possibility that users can upload images (can be pornographic.. ) to the Forem selfhost; get the generated links, don't publish them on Forem posts but distribute those links or webhost with those links.

The Forem administrators never know what is uploaded and what is being transferred out of our servers about those unpublished images unless we manually keep checking each image in the aws s3 bucket.

Even if we find any unwanted images in the s3 bucket, how do we know which user uploaded them, whom to hold responsible for.. and legally the administrators are at risk for hosting such content.

Is there any hot-linking protection such that all the unpublished images are deleted periodically?

Discussion (5)

Collapse
xnbox profile image
Alexander

I think the following hook could be used here:

  • When uploading a file, associate its link on the hosting service with the user's ID.
  • Before publishing a post, you can automatically delete all files that are not linked to in that post.

I'm not sure if this functionality is missing in FOREM. But if not, it would probably be a good idea to open a feature request.

Have a nice day!

Collapse
ben profile image
Ben Halpern

Yes, we've discussed this. Hasn't been implemented.

Images like this could be manually removed to prevent a certain type of abuse.

Collapse
9comindia profile image
9comindia Author

@ben hmm.. did this kind of attack ever happened on dev.to?

Thread Thread
ben profile image
Ben Halpern

It has not. I suspect there are easier, more automatable attack vectors than this, but of course, that doesn't mean we shouldn't build in the fix.

Thread Thread
9comindia profile image
9comindia Author

Good that the world has been good till now.
Other attacks mean.. are you referring to DdoS(Distributed denial of Service)?