Looking for beta testers or feedback for a relay I have been building.
This was built with the beginner user in mind and very easy to install, run and audit. You can go from cloning the repo to relaying notes in about 4 minutes as much of the setup is automated.
The stack is python services, running in containers in a docker compose stack behind a NGINX reverse proxy. The setup script will install all dependencies, setup your NGINX reverse proxy server and request an TLS certificate, load environmental variables, build and launch the application and database containers
This is also pre-configured to deploy with a Datadog agent installed to provide full stack observability of your relay. This configuration offers APM, DBM, and NPM as well as some custom nostr StatsD metrics
If you are interested in testing or just want to poke around, check out the links below!
The repo is located here:
https://github.com/UTXOnly/nost-py
and a demo setup video here:
https://youtu.be/9Fmu7K2_t6Y
os.system()
andsubprocess
methods with string formatting to execute shell commands. This makes the script vulnerable to shell injection attacks, especially if user-supplied input is used. For instance, if an attacker can influence thedefault_conf
ordomain_name
values, they could potentially execute arbitrary commands.script_user
, which could potentially reveal sensitive information about the system. Furthermore, it is handling environment variables that likely contain sensitive information.rm -rf
command, which is a dangerous operation that can delete directories and their contents recursively. In this case, thedefault_conf
file is deleted. If an attacker can control the path, this could lead to deletion of any file or directory.chmod
command. This could potentially lead to inappropriate access to sensitive files.nginx_config
to a file, but it does not check if the file already exists. An attacker could potentially create a symlink to another file, and the script would overwrite that file instead.os.system()
andsubprocess
with string formatting. Instead, usesubprocess.run()
with a list of arguments.