starlightprivate / flash2

nodejs app
0 stars 0 forks source link

Secure write only analytics #154

Open vodolaz095 opened 7 years ago

vodolaz095 commented 7 years ago

There are this values in config for autopilot, leadoutpost, sentry, loggly,segment.

https://github.com/starlightgroup/flash2/blob/master/server-config.js


  autopilot: {
    key: process.env.AUTOPILOT_KEY || '7d72a72715de40668977c638c01273c8',
    clientlist: process.env.CLIENT_LIST || 'contactlist_59EA0BF8-46D0-4733-B6C5-4F2EB7C890AA',
},
  leadoutpost: {
    apiKey: process.env.LEADOUTPOST_API_KEY || 'CITg0XHH3kGJQ4kkjZizRxzUEINR2nZaLRRstUyHs',
    campaignId: process.env.LEADOUTPOST_CAMPAIGN_ID || 5,
},
// https://sentry.io/starlight-group/node-api/settings/keys/
  sentryDSN: process.env.SENTRY_DSN || 'https://68ae2c197a6440efac407117aec0326f:f64d954adde3493ab03f86d94815e814@sentry.io/133524',

  loggly: {
    token: process.env.LOGGLY_TOKEN || 'a52a98a7-c97f-40d5-bb5b-b544716b04c3',
    subdomain: process.env.LOGGLY_SUBDOMAIN || 'starlightgroup',
  },
  segmentWriteKey: process.env.SEGMENT_WRITE_KEY || '7FMBWsjMCbyWvbx4UuGCovr1SYyokQYd', // https://segment.com/docs/sources/server/node/

How it can be dangerous?

Moderate. Attackers can spam logs and analtics with meaningless errors, tampering developers work - because they need to see fake errors and can miss real errors

How to fix?

Regenerate all tokens. They can be all stored in code freely - they give write only access.

vodolaz095 commented 7 years ago

There is also frontend code for sentry reports. There is CSP report endoind.

vodolaz095 commented 7 years ago

Sentry - https://sentry.io/starlight-group/node-api/settings/keys/ Including report uri and CSP report page https://github.com/starlightgroup/flash2/blob/4949d508618195ca1e7c8d24f3e3862816ed6d7e/api/middlewares/csp.js#L124-L124

vodolaz095 commented 7 years ago

for Loggly - https://starlightgroup.loggly.com/tokens