potential security issue? users can guess links to file uploads

[neuronflow]

Describe the bug A clear and concise description of what the bug is. links to file uploads can be guessed and be reached from external services. how can I disable this? To Reproduce Steps to reproduce the behavior:

1. Execute command '...' ./tusd -port 3020 -verbose -base-path /corona-upload/ -behind-proxy -verbose
2. Start upload '....' upload via uppy.io
3. See error no error but file can be requested from server by guessing / intercepting the provided upload url?

Expected behavior A clear and concise description of what you expected to happen. 502

Setup details Please provide following details, if applicable to your situation:

• Operating System: [e.g. Linux, Windows, macOS] independent of OS

• Used tusd version: [can be obtained by running tusd -version] Version: v1.1.0

• Used tusd data storage: [e.g. disk store, AWS S3, Google Cloud Storage]

• Used tusd configuration: [what arguments are you using to invoke tusd?] ./tusd -port 3020 -verbose -base-path /corona-upload/ -behind-proxy -verbose

• Used tus client library: [e.g. tus-js-client, tus-java-client, TUSKit, Uppy.js] Uppy.js

[Acconut]

This is not a security issue but a design decision. If you want to implement access control, you are expected to place a proxy in front of tusd which takes care of the authentication/authorization. This is also explained in the FAQ: https://github.com/tus/tusd/blob/master/docs/faq.md#how-can-i-prevent-users-from-downloading-the-uploaded-files

[sneko]

Hi @Acconut ,

Do you think that's fine when using tusd as a Go library to "overload" the GET handler so I can wrap it with my own access control logic?

Thank you,

[Acconut]

@sneko Yes, if a proxy is not a good solution for you, you can also do that.

[Acconut]

Closing this issue due to inactivity. Feel free to leave a comment if you want to continue the discussion :)