Forum Academy Marketplace Showcase Pricing Features

Securing file upload - Need Help!

Need help
#1

Hi,

I am trying to secure file uploads from users.

Here are my upload settings:

Screenshot 2023-05-25 at 2.30.58 PM
Screenshot 2023-05-25 at 2.30.58 PM1506Ă—388 37 KB

Here are my privacy settings:

Screenshot 2023-05-25 at 2.31.11 PM
Screenshot 2023-05-25 at 2.31.11 PM2920Ă—1002 168 KB

But still, when someone has the CDN URL (i.e. https://8cfc205a92a7bc2ee3ca59fc24732ee2.cdn.bubble.io/f1685042659128x838821363675895200/Screenshot%202023-05-25%20at%202.23.49%20PM.png?AWSAccessKeyId=AKIATBBF73RNGVJNFEZN&Expires=1685043388&Signature=EFnnTLA2gd4AMmqqtPEP0GnGmzA%3D)

Anyone with the URL can view the source file.

How do I secure the files so only the members of the team can view it or see the attached file?

Thanks!

#2

Right now when I open your URL I get:

<Code>AccessDenied</Code>
<Message>Request has expired</Message>

Are you sure anyone can access the source file?

#3

Thanks for the reply!

For that file now I am getting it. But I’m testing in duckduckgo pasting in the URL and for two others I just uploaded I can still view (logged in in chrome)

i.e. https://8cfc205a92a7bc2ee3ca59fc24732ee2.cdn.bubble.io/f1685044907936x677448095132356100/sample.pdf?AWSAccessKeyId=AKIATBBF73RNGVJNFEZN&Expires=1685045212&Signature=sB4fIGQ1ab0hJ8TEyH4wsvVeyv8%3D

Screenshot 2023-05-25 at 3.01.57 PM
Screenshot 2023-05-25 at 3.01.57 PM1784Ă—954 78.7 KB

#4

yep, I can access this pdf using your URL.

Are you testing file upload process using an existing user connected to a team? or was it a temporary (not logged in) user?

#5

Super weird right? I’m testing as an existing user connected to a team.

#6

Within what data type have you created the privacy rule - User or Team?

#7

These are presigned URLs, meaning that specific link expires in a certain amount of time and is public, but it took someone private that has access to be able to generate that link in the first place.

Try clicking that previous link now, it says it has expired. If you try to view the file again from inside your app/editor you’ll notice the link it different, it generated a new one that will expire soon too.

Perhaps what you’re chasing is a S3 bucket policy that only lets someone view it if they are being referred from your app’s domain (they clicked a link from your app only), that would require your own S3 bucket and you would upload directly to it (plugin required)

1 Like
#8

Thank you!

From what I understand the files are completely private until someone (with permission) opens them. Then a unique URL is created with a time limit (anyone know what that is?)

So the URL above is now not accessible, but I opened (as a user with permission) the same file again and a new URL was generated that is slightly different. Below are the two URLs for the same file:

  1. https://8cfc205a92a7bc2ee3ca59fc24732ee2.cdn.bubble.io/f1685044907936x677448095132356100/sample.pdf?AWSAccessKeyId=AKIATBBF73RNGVJNFEZN&Expires=1685045212&Signature=sB4fIGQ1ab0hJ8TEyH4wsvVeyv8%3D

  2. https://8cfc205a92a7bc2ee3ca59fc24732ee2.cdn.bubble.io/f1685044907936x677448095132356100/sample.pdf?AWSAccessKeyId=AKIATBBF73RNGVJNFEZN&Expires=1685045711&Signature=fXTYAsfnmLRmnYu66NuyoC6FrvM%3D

Thanks for the help, and I hope this helps someone else!

1 Like
#9

Looks like the links timed for 10 minutes and then go dead.

1 Like
#10

So, technically it’s not 100% private, cause authorised app user can share presigned URL with another user (who is not authorised to have an access to the file) and this unauthorized user will be able to get the file before the link expires?

#11

The file is considered private because it takes a authorized user to generate a unique link to the file for a short time.

You are correct someone could share the URL in that 10 minutes and someone else could see it. But if they are leaking documents why are they an authorized user in the first place? :slightly_smiling_face:

I use external Wasabi S3 storage, and I have a bucket policy where they can only view the file it they clicked the URL from within my app (called an HttpReferrer). Maybe that’s what you might want? So a user clicks a link inside the app and view the file. If if they copy/pasted the link to their browser it does not work.

I’m not really a cybersecurity expert but I think Presigned URLs are still considered more secure, I think HttpReferrers can be spoofed if someone really was tech savvy.

2 Likes
#12

Just checked Amazon’s docs on presigned URLs:

Anyone who receives the presigned URL can then access the object. For example, if you have a video in your bucket and both the bucket and the object are private, you can share the video with others by generating a presigned URL. Because presigned URLs grant access to your Amazon S3 buckets to whoever has the URL, we recommend that you protect them appropriately

So I supposed that “private” files are really “private” in Bubble because only authorised users can access’em. But it turned out that is not quite true. Thanks for this great insight, haven’t seen this on the forum before.

Secret agent making dirty stuff being an official employee :grinning:
Or some computer virus triggering a script to send links to scammers in the background.

Yep, I’ve been thinking about some similar to Google’s sharing concept. So to get an access to some file user has to log in Google’s account and then Google checks if this user’s email is whitelisted. From my POV (not a cybersecurity expert an any means) such approach is more secure than using presigned URL.

1 Like
#13

Could you explain a little more about how I could implement something like this in my app? It sounds like a great solution. :grinning:

#14

Funny you mention that, when I view a picture from my Google Drive,

Here is the image link from the dev console

And here is the same picture but I uploaded through Google Photos

Neither of these I shared with anyone (the link it would generate to share would be a much shorter link to Photos, not a direct image URL), I just viewed privately from my Google account, are you able to see these? I tried the URLs in Incognito and a different browser and they work

Everytime I refresh in my Drive or Photos, those URLs change… almost like a presigned URL :thinking: :joy:

According to this answer googleusercontent images expire after 1-2 days

So far it seems when someone shares a photo with you on Google Drive you’re just given permission to generate a signed URL for you to view (Similar how you would do it in Bubble)

I think no one is using the HTTP Referrer method because it’s considered easily spoofable if someone really wanted to.

Even if it is a cool concept of “verifying where they came from”

2 Likes
#15

Yeah I can see the image from both the URLs… this is really interesting.

1 Like
#16

This can be done with your own AWS S3 bucket but I just chose Wasabi S3 instead. I can find the links tp the plugins to integrate with those storage providers if you want

It comes with its own pros and cons, like it being less integrated than Bubble’s file storage, but you get your own private bucket to change access like I mentioned before. But certain things like other plugins uploading files (Webcam capture, PDF generating plugins, etc) will still want to upload to your Bubble storage. So another plugin would be needed to transfer the files out of your Bubble storage and into your AWS S3

If it’s just users uploading/downloading then the plugins would be completely fine though.

The HTTP Referrer thing is nice, it just depends on your level of security needed. Clearly wasn’t good for Google since they do the Signed URL route

I should also mention you can do your own bucket and also just do Signed URLs

1 Like