search

alex35mil / sourcebuster-js

Track the sources of your traffic
https://alexfedoseev.github.io/sbjs
MIT License
412 stars 92 forks source link

Stores way too many cookies #43

Open Tofandel opened 7 months ago

Tofandel commented 7 months ago

Using this package means 7 cookies are added to each page load, some of this cookies contain data that is falsely flagged by WAF as SQL injection, the total size of those 7 cookies is around 1.3Kb and the cookie limit for browsers is 4kb, so this package is taking by itself 30% of that bandwidth, not leaving much space for other services or authentication A quick reminder that cookies are also sent with every request (image load, script and css), this can add up in bandwith and significantly slow down loading times of a website

There is no option to change this (Eg disable cookies and simply use the API straight away and user stores what they need themselves in the callback), it would at the very least be much better to use localStorage or sessionStorage for this purpose than cookies

amityweb commented 7 months ago

Don't know if it's related but Ninja Firewall in one of our Wordpress sites is now logging this and blocking visitors:

25/Jan/24 15:42:57  #6842620  HIGH       257  111.222.333.444   GET /index.php - SQL injection - [COOKIE:sbjs_session = pgs=3|||cpg=https://www.mydomain.org.uk/find-an-service/directory/?subject=value1&publication_type=value2&skill=value3&submit=Submit] - www.mydomain.org.uk

sbjs_session is referenced only referenced in Woocommerce and Litespeed Cache in our site.

amityweb commented 7 months ago

Actually my is probably related to Sourcebuster in WooCommerce https://github.com/woocommerce/woocommerce/issues/43681

Tofandel commented 7 months ago

Well it's an issue with sourcebuster but it just appeared because the inclusion in woocommerce made this not so popular library into something used in millions of sites in a matter of weeks

layoutd commented 7 months ago

@amityweb Yes, that's likely due to Sourcebuster being used in WooCommerce's Order Attribution feature. See this WC Developer Blog post for more info. We hadn't heard of issues with Ninja Firewall, so we'll investigate that further.

@Tofandel Appreciate your comments here and in the WooCommerce repo so far. Since this repo is mostly inactive, we forked it to https://github.com/woocommerce/sourcebuster-js/ to include in WooCommerce. There's a PR open there to add some features to address this issue, if you'd like to take a look I'd be happy for your input/feedback: https://github.com/woocommerce/sourcebuster-js/pull/3