pull down to refresh

Looking for beta testers or feedback for a relay I have been building.
This was built with the beginner user in mind and very easy to install, run and audit. You can go from cloning the repo to relaying notes in about 4 minutes as much of the setup is automated.
The stack is python services, running in containers in a docker compose stack behind a NGINX reverse proxy. The setup script will install all dependencies, setup your NGINX reverse proxy server and request an TLS certificate, load environmental variables, build and launch the application and database containers
This is also pre-configured to deploy with a Datadog agent installed to provide full stack observability of your relay. This configuration offers APM, DBM, and NPM as well as some custom nostr StatsD metrics
If you are interested in testing or just want to poke around, check out the links below!
The repo is located here: https://github.com/UTXOnly/nost-py
and a demo setup video here: https://youtu.be/9Fmu7K2_t6Y
51.2k sats \ 1 reply \ @maths 30 Jul 2023
  1. Shell Injection: The script uses the os.system() and subprocess methods with string formatting to execute shell commands. This makes the script vulnerable to shell injection attacks, especially if user-supplied input is used. For instance, if an attacker can influence the default_conf or domain_name values, they could potentially execute arbitrary commands.
  2. Sensitive Data Exposure: The script prints out the script_user, which could potentially reveal sensitive information about the system. Furthermore, it is handling environment variables that likely contain sensitive information.
  3. Arbitrary File Deletion: The script deletes files using the rm -rf command, which is a dangerous operation that can delete directories and their contents recursively. In this case, the default_conf file is deleted. If an attacker can control the path, this could lead to deletion of any file or directory.
  4. Insecure File Permissions: The script modifies the file permissions of certain files using the chmod command. This could potentially lead to inappropriate access to sensitive files.
  5. Unchecked Return Values: The script does not check the return values of the system or subprocess calls, which can lead to unnoticed failures. If these calls fail, the script continues to execute, which can lead to unexpected behavior.
  6. Insecure Temporary File: The script writes the nginx_config to a file, but it does not check if the file already exists. An attacker could potentially create a symlink to another file, and the script would overwrite that file instead.
To mitigate these issues, you should:
  • Avoid using os.system() and subprocess with string formatting. Instead, use subprocess.run() with a list of arguments.
  • Check the return values of system or subprocess calls and handle errors appropriately.
reply
Thank you so much for taking the time to analyze and give detailed actionable feedback. I will be sure to open up some issues and get working on this!
Sorry for the multiple Zap notifications!
reply
Very cool. I was just thinking about having my own relay but not knowing where to start.
reply
This was built for exactly that! If you end up trying to run it, I would love to hear your feedback so I can improve it.
reply
Exciting to play around with this.
reply
Awesome, would love to hear your thoughts on it!
reply