Cogitri
commented
3 years ago A simple script to run this with GitHub Actions would be neat too
Closed xxc3nsoredxx closed 3 years ago
Cogitri
commented
3 years ago A simple script to run this with GitHub Actions would be neat too
xxc3nsoredxx
commented
3 years ago I'm not familiar with using GitHub Actions, but I'm willing to look into it.
nvinson
commented
3 years ago @xxc3nsoredxx @Cogitri Has anyone checked with the pastebin owners to see if they're OK with this approach? As it's written, this can easily be abused to flood the various pastebins with test messages.
xxc3nsoredxx
commented
3 years ago @nvinson Good point. I hadn't explicitly thought about that until now. Here's my take (obligatory "I am not a lawyer"):
0x0.st is NOT a platform for:
- piracy
- pornography and gore
- extremist material of any kind
- malware / botnet C&C
- anything related to crypto currencies
- backups
- CI build artifacts
- doxxing, database dumps containing personal information
- anything illegal under German law
0x0 ToS section, seems fine to me.
I can't find any ToS for bpaste, so presumably they know and accept any risks involved.
codepad always times-out for me, so the script isn't hitting their endpoint.
- Automated submissions should be made with a
User-Agentheader identifying the software making the request.- Automated requests should not exceed one per second.
dpaste ToS. As it is right now, the script doesn't make >1 req/s, even if run forever, since it cycles through the different services. Although I can't find any mention of the User-Agent being added to the request by wgetpaste.
Abuse or excessively frequent requests to GitHub via the API may result in the temporary or permanent suspension of your Account's access to the API. ... You may not share API tokens to exceed GitHub's rate limitations.
GitHub API ToS. I do not believe that this script violates the "excessive requests" based on the fact that it sends out a single Gist. Also, it requires the user to explicitly provide their own API key for anything to be saved on the server.
CAVEATS: Paste at your risk. Be nice please. If you are distributing software that uses this automatically, talk to me first. If you are distributing malware please go away forever.
ix.io, towards the bottom. It may be worth making sure that wgetpaste using the service at all is acceptable, if it hasn't been done already. I don't believe that this script goes against the "be nice please" clause.
5.1 Customer will not, and will not permit any third party other than Users, to: (vi) use the Software in any manner that: (d) contains a virus, trojan horse, worm, time bomb, unsolicited bulk, commercial, or “spam” message...
GitLab Subscription Agreement (most relevant bit I could find). I don't believe this qualifies as "unsolicited bulk." Similarly to GitHub, using GitLab snippets requires the user to provide their own API key.
- Daily quotas protect the integrity of the App Engine system by ensuring that no single app over-consumes a resource to the detriment of other apps. If you go above these limits you'll get an error. Daily quotas are refreshed daily at midnight Pacific time.
- Per-minute quotas protect your application from consuming all of its resources in very short periods of time, and prevent other applications from monopolizing a given resource. If your application consumes a resource too quickly and depletes a per-minute quota, the word "Limited" appears next to the appropriate quota on the Quotas page in the Cloud Console. Requests for resources that reach their per-minute maximum are denied.
Google App Engine quotas page, Sprunge does not seem to have a ToS of their own, but the README mentions that it uses Google App Engine, so presumably they know and accept any risks involved.
In short, I believe the test script complies with the various ToS's, but the points mentioned for dpaste and ix.io might be worth looking into. Considering the self-limiting nature (only a single loop, at most a single small upload+download per service), I would say this script is in good faith just as the tool itself is. Adding a sleep 1 before going to the next service would further space out API calls while not making execution time unbearable for sporadic use (it currently takes ~10s for a single run). Doing anything malicious would require modification by the end-user and/or some other form of abuse, and there are likely more efficient ways of accomplishing such a goal, so I would consider it only a limited concern.
heirecka
commented
3 years ago @xxc3nsoredxx @Cogitri Has anyone checked with the pastebin owners to see if they're OK with this approach? As it's written, this can easily be abused to flood the various pastebins with test messages.
In addition to what @xxc3nsoredxx said it's already easy to use wgetpaste itself for flooding pastebins (e.g. just use if with a loop), the test script doesn't make much difference, at least in my opinion.
Anyway, LGTM. Waiting a bit if @Cogitri wants to add anything, though.
xxc3nsoredxx
commented
3 years ago @Cogitri Is there anything else that you think should be done before merging?
Posts
test/test.txtonto any pastebins it can. Downloads the resulting pate into a temp dir as/tmp/wgetpaste_test.XXXXX/<service>.txt. Runsdiff(1)(ignoring trailing whitespace) to compare the download with the test data.