Using aws mobilehub for our react application, mainly for authentication. I've seen in multiple places that the file that configures the sdk for the project, the aws-exports.js file, should not be included in source control.
Why should it not be in source control? I get that since we need differing versions it should be dynamically updated.. but is there any security risk for the client to be able to see it?
In inspector, we can see the information of the aws-exports.js file in the inspector, and I just want to make sure we aren't exposed to any security risk if, for example, someone perusing our files could see our "aws_cognito_identity_pool_id" or "aws-region" or something like that.
Also, side note- we will eventually have a production build so there will be some minification im sure to obfuscate the information, but just want some clarification on best practices and potential vulnerabilities.
Thanks!
I don't think it's about security, because the file is eventually going to be accessible, by design. It's because the file is dynamically generated.
The aws-exports.js file is a standard JavaScript file that is maintained by AWS Mobile Hub on your behalf. It changes when you add, remove, or edit features within AWS Mobile Hub.
// WARNING: DO NOT EDIT. This file is Auto-Generated by AWS Mobile Hub. It will be overwritten.
https://aws.amazon.com/blogs/mobile/integrate-the-aws-sdk-for-javascript-into-a-react-app/
It feels like the motivation behind this practice is to prevent the wrong file from being used, inadvertently, and avoid version control interference and annoyances from having a file that is tracked, but doesn't need to be.
Related
I am working on a react web application, which may require multi language support. I am using i18n-next which internally loads the required configuration file from specific directory based on the language selected by user.
The word or scentences that needs to be translated may increase based the screens that user going to add and also if use adds new folder, we will loading those languages into our application.
What is the best way (I mean Scallable, Easy to configure, platform provided...) to satisfy the requirement?
( :( All I can think of is mounting an external locales folder to the folder inside container.. Is that the only way.. or something else is there..)
Note: kubernetes and rancher is there to manage. Plase provide solution/suggestion around that.
Nandri.
If you can add the files from the Storage bucket to Ci/CD & add files to the docker image and manage inside it that would be one way.
Following this way might be helpful during scaling up the application and need to manage the external locales folder and anything worried.
By external local folder mean you want to use the Host path of the node what if your node is changing by Kubernetes during maintenance how will you add the files to the node each time or manage it?
If you will use the PVC you might face the issue of readwriteonce if you are scaling the replicas you require the readwritemany. Make try to create stateless containers as much as possible.
If you can create and add the directory inside the docker image and directly use it that would be perfect or else you might could use the NFS like minio or glusterFS which support the readwritemany also.
I've read a few threads where this is discussed. Shai's response has always been that files can only be read, but not written into shared locations
Perhaps saving other type of files isn't so simple but shouldn't there be an option for saving pictures in CN1?
I haven't seen the Whatsapp Clone code, but if it truly is a clone shouldn't it have the option to share pictures (and possibly files). Or is it a simple text chat that perhaps shares pictures that can never be saved outside the app?
I also read somewhere (6 months ago) that Shai said that this should be a feature of CameraKit. Does this mean that this feature is in development? If so, that would be great. But having an ETA would also be great to align with our own devs
If it isn't being developed, can I at least know if this is something I can develop natively within CN1?
We expose the full file system so you can write to any place the native App can write to. Native apps don't have write access to the gallery directory and need to explicitly request it to put a file there. This can be accomplished easily in any external cn1lib (e.g. we could do it in camera kit) but haven't done it for camera kit or the whatsapp clone.
AFAIK there's no RFE open on this feature so I can't even tell you if it's assigned to a specific milestone.
I have a requirement where my app records the video files and stores them in app's documents directory. I want no other app should access these files other that my app. I have set file sharing enabled to NO. But I see some apps like iExplorer can show the video files saved under my app's documents directory. Can I know how this can be avoided.
I have also heard that by mounting the iOS device disk to any unix/linux machine can list out all the contents of the app sandbox.
So I want to know how to prevent this happening.
I tried with adding NSFileProtectionComplete as a attribute when saving the file. But this didn't solve the problem. Please help me on this.
Thanks,
I realize this is a little old but in the hopes of helping the next person who stumbles upon this:
You're probably looking for an encryption solution, combined with the standard steps for hiding your app documents folder as you've mentioned. Encryption won't necessarily hide the files but it will make them unreadable.
NSFileProtectionComplete only encrypts files when the device is locked. See the App Programming Guide for iOS section Protecting Data Using On-Disk Encryption. Also, keep in mind that when testing this, you'll have to wait 10-20 seconds after the device is locked before trying to verify that the file is inaccessible. If you want the encryption to persist past that point you'll have to handle it yourself. Something along what's described in this SO post perhaps.
Does anyone else think Silverlight 4 security is a bit screwball?
Look at the following scenario:
Silverlight when set to trusted app, and run out of browser mode allows you to browse for a file using the file open dialog.
You require the name of the path of the file to open it up from any COM automation. For example (excel/word) but this could be anything.
It is impossible to get the full path of the file from the dialog because of security restrictions
You can however using COM FileSystemObject - do what ever you want to the users file system, including create folders, move and delete files.
So in other words, why all the fuss about security in Silverlight, which actually hinders real business use cases, when its possible to access any file anyways using COM?
To say it another way, if a user runs a malicious silverlight app, its unlikely they'll say - oh well it was COM at fault. The COM was afterall being called by a Silverlight app.
Here is what I mean....
User browses for file - c:\myFile.xls
Silverlight prevents you from getting the path (for security reasons)
Silverlight only lets you work with my documents
Using COM you can do what ever you want to the file system in the background anyways. Including copying that file now to my documents, if only you knew the name! But besides that you can wipe any file potentially if its not in use.
In my opinion Silverlight security model is flawed, either they should have given developers full trust and allow us to run apps as if they were running locally
or
Not allowed Silverlight to access COM.
Is it just me, or can anyone else see that its a bad implementation?
This triggers security alerts:
OpenFileDialog flDialog = new OpenFileDialog();
FileInfo fs = flDialog.File;
string fileName = fs.FullName;
This doesn't
dynamic fileSystem = AutomationFactory.CreateObject("Scripting.FileSystemObject");
fileSystem.CopyFile(anyFileName,anyDestination);
I don't agree with your point of view. The fact that you can do pretty much anything that an installed COM object will allow you to do is not a reason to modify a whole bunch of existing Silverlight code to allow you to do those same things.
Why? Because in the process of opening up that code there is also an increase chance that in some unintended way that same code could get run when the Silverlight component is not running in trusted mode. If that were to happen even once the media would all over it in a shot and Silverlight's reputation would, probably unfairly, be in tatters.
Personally I'm quite happy with the very cautious approach to security that MS are taking with Silverlight.
some Silverlight controls such as the OpenFileDialog work in both trusted and untrusted mode. These controls have been ported from previous versions of Silverlight where the new levels are elevated trust were not a consideration.
Thank you to Anthony for pointing this out.
Developers need to be aware of the definition of trust we are discussing here. Running a Silverlight application in full trust with elevated privileges IS NOT the same thing as running a local Silverlight Windows based Application. It is also far more restrictive than ActiveX.
Its possible that the trust here provided in Silverlight suits your particular business requirement. It is however likely that there are scenarios where you will find Silverlight too restrictive, its best to do your research upfront, and run code samples to ensure you can do the critical stuff, before jumping in head over heels.
Microsoft guarantees that public Silverlight API has the same behavior for both for Windows and MacOS platforms. So the functionality is many ways limited by the common denominator and technical feasibility. Please treat COM introp as a specific case addressing only Windows platform and only in full trust mode and it is not going to work the same for other platforms. So the security restrictions are valid as they are the same for both worlds in terms of API reuse.
I agree with the original poster. I think it's bad implementation. We are given a built in dialog to browse for a file, including directory structure. We can select a file and get a FileInfo object, but security prevents us from getting the FullName (directory and file name). Why? How does that improve security? What's the point of the open file dialog to begin with?
And as the original poster mentioned, with those dynamic objects, we can modify the local file system... which seems like the possible security hole.
All I want to do is read some data from an excel file... a way for my users to import excel data into the application, and the file could be saved anywhere on their machine. These are sales reps using an excel files to record orders locally until they can get to an internet connection. Who knows where they all save that file... so I'm not going to try to suggest we tell them all to store it in the same place in "my documents". I'll get laughed at if I suggest that.
It seems like it should be incredibly simple. But that "security measure" that keeps us from getting the directory the user chose from the built in open file dialog makes it so that we can't use the dialog for the purpose it was created for.
So what's the alternative? Is there a way to pick files using those dynamic objects? Do I have to write my own file selection tool using those objects that can modify the file system? Since I don't need anything but to read the file, and because I read something somewhere that we do have access to the file stream... is there a way to using the file stream to open up the file for reading using the AutomationFactory?
I'm working on a website in JSP (in GWT really, but on the server side, it's really just JSP), and I need to configure my database.
I know HOW to code in the database connection etc, but i'm wondering how/where the database config should be saved.
To clarify my doubt, let me give an example; in PHP, a website usualy has a config.php, where the user configures the database, user, etc (or an install.php generates it).
However, since JSP is bytecode, I can't code this info into my site and have the user modify it, nor can I modify it analogously to an install.php.
How should I handle this? what's the best/most common practice ? I've found NO examples of this. Mainly, where should the config file be stored?
There are several possibilities to do this, what I've seen done include:
Having database credentials in a special file, usually db.properties or some simple XML file that contain the required information (driver, url, username, password, any ORM parameters if needed). The properties file would be placed under WEB-INF or WEB-INF/classes; the downside of this approach is that the user would have to modify the file inside the WAR before deploying it to the application server.
Acquire the database connection via JNDI and expect it to be provided by the application server. This seems to be the most common way of doing this; on the upside, your WAR doesn't have to be changed, however, the downside is that configuring a JNDI data source is different for every application server and may be confusing if your system administrators are not experienced with Java technology.