I found that this software has a slight vulnerability by default. All files generated get a random ID like /oraxirinic.sh which looks pretty random but is fairly guessable when calculating the odds. The trick here is that by default, the "phonetic" generator is used with a length of 10, implemented here:
It randomly chooses vowels or consonants based on whether the index is even or odd, causing a pattern like 1010101010 where 1 is a vowel, and 0 is a consonant. This significantly reduces the number of possibilities down to a brute-forcible range:
For a malicious actor trying at 1000 requests per second, they will be able to test every possible path in just a year, and likely find them earlier the more files exist or the faster they can request. Users may store sensitive things here and expect the paths not to be guessable.
This can be worked around in config.js file by setting keyLength higher or keyGenerator.type to a greater search space like "random" or "dictionary", but I think it is not a good idea to make the default configuration contain this risk.
I found that this software has a slight vulnerability by default. All files generated get a random ID like
/oraxirinic.sh
which looks pretty random but is fairly guessable when calculating the odds. The trick here is that by default, the "phonetic" generator is used with a length of 10, implemented here:https://github.com/zneix/haste-server/blob/master/lib/key_generators/phonetic.js
It randomly chooses vowels or consonants based on whether the index is even or odd, causing a pattern like
1010101010
where1
is a vowel, and0
is a consonant. This significantly reduces the number of possibilities down to a brute-forcible range:For a malicious actor trying at 1000 requests per second, they will be able to test every possible path in just a year, and likely find them earlier the more files exist or the faster they can request. Users may store sensitive things here and expect the paths not to be guessable. This can be worked around in
config.js
file by settingkeyLength
higher orkeyGenerator.type
to a greater search space like "random" or "dictionary", but I think it is not a good idea to make the default configuration contain this risk.