search

pglombardo / PasswordPusher

πŸ” Securely share sensitive information with automatic expiration & deletion after a set number of views or duration. Track who, what and when with full audit logs.
https://docs.pwpush.com
Apache License 2.0
1.94k stars 342 forks source link

Direct links to files do not count towards download count #1799

Open PL-Peter opened 7 months ago

PL-Peter commented 7 months ago

πŸ› Bug Report

When a file is uploaded to PasswordPusher, there are 2 URLs per file.

  1. The "secret" URL which is to be passed to the receiver of the file. The secret URL is constructed like "https://[server]/f/[Token]

  2. The "real" URL or direct link to the file The real URL is looking like "https://[server]/rails/active_storage/blobs/redirect/[long random string]/[real file name]" This URL can be copied from the link presented unter "Attached Files".

When the receiver of the file passes on the "real URL", an unlimited amount of downloads can be made. No restrictions seem to be active for those links.

πŸ”¬ How To Reproduce

  1. Upload a file to PasswordPusher
  2. Open the secret Link in another browser or incognito window and copy the "real link"
  3. Open as many additional tabs/windows as you like and download the file

Environment

Where are you running/using Password Pusher?

If applicable, what version of Password Pusher? 1.36.5

πŸ“ˆ Expected behavior

"Real" URL should either be counting towards view count/download count/age restrictions or not be directly reachable.

github-actions[bot] commented 7 months ago

Hello @PL-Peter, thanks for contributing to the Password Pusher community! We will respond as soon as possible.

pglombardo commented 7 months ago

Hi @PL-Peter - you are correct and I'm not sure how to fix this yet.

  1. File downloads should be added to the Audit Log
  2. Should we add a max download setting that would apply per-file? e.g. 10 views on the push, but max 10 downloads of each file? I'm not sure yet.

Let me know what you think.

PL-Peter commented 7 months ago

Hi @pglombardo ,

what made me wonder was when I pushed some files with only a single view each, that was used by the preview to extract the direct DL URL and the direct download still worked afterwards on the already expired item.

I guess it depends heavily on the use case how the solution should look like. I'm currently testing single file pushes over the API. In my case download==view. In my script I'm extracting the direct download URL from the preview page - currently it's not available via API call, as far as I know.

With multiple file pushes it gets a little difficult. Maybe an elegant (?) solution would be to ZIP pushes with multiple files in an archive to get a single file to download. At least this is how web based file managers usually solve the "how to download multiple files" problem. This would also reduce possible download situations to a single case and solve the views/downloads counter problem.