Privacy: Amazonaws server and Netlify code

[Manamama]

After clicking the "Share link" button, I have noticed that the full content of the thread has been saved on a public (sic) static.s3.amazonaws.com/chats/[AB12345].html page, accessible to all and sundry.
To help me understand it further, as a non-coder, I have searched the code for the amazon* string and the only one I have found is here: ChatGPT/src-tauri/src/assets/export.js, to wit:

async function sendRequest() {
  const data = getData();
  const uploadUrlResponse = await fetch(
    "https://chatgpt-static.s3.amazonaws.com/url.txt"
  );
  const uploadUrl = await uploadUrlResponse.text();
https://chatgpt-static.s3.amazonaws.com/url.txt

I have looked up the latter: https://chat-gpt-static.netlify.app/.netlify/functions/chatgpt-upload
but it is hidden or obfuscated:

This function has crashed
An unhandled error in the function code triggered the following message:

[SyntaxError](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SyntaxError) - Unexpected end of JSON input

Stack trace
SyntaxError: Unexpected end of JSON input
    at JSON.parse (<anonymous>)
    at Runtime.exports.handler (/var/task/chatgpt-upload.js:33:51)
    at Runtime.handleOnceNonStreaming (file:///var/runtime/index.mjs:1089:29)
Connection details
Netlify internal ID: 01GNSF49A8CGT3H98MXTN7G5Q0... 

"Joining" this Netlify with my Github account did not help either.

FYI, this is what ChatGPT itself thinks about this piece of code and error:

_This [Rust] function appears to be part of a script that is sending data from the client's browser to an Amazon server using the Fetch API. The data being sent consists of the outer HTML of an element with a tag name of "main" and the CSS styles from two stylesheets (one linked and one with the data-styled attribute). The data is being sent as a JSON string in the body of a POST request to an URL specified in a file hosted on the chatgpt-static.s3.amazonaws.com server. It is not clear from the provided code whether the data is being encrypted before being sent to the server.

The [Netlify- or AWS-hosted] function seems to be a serverless function hosted on Netlify that is supposed to handle an HTTP POST request. It appears that the function is encountering an error when it tries to parse the request body as JSON. Specifically, the error message "Unexpected end of JSON input" suggests that the JSON data in the request body is incomplete or invalid. This could be due to a problem with the data itself, or it could be caused by an issue with the way the data is being transmitted or received. It is not clear from the provided code how the data is being sent to the function or how it is being used, so it is not possible to provide more specific guidance on the cause of the error or how to fix it._

-> Please explain to us.

[lencx]

About the export, in the readme#thanks has been written very clear, it is the core code from the ChatGPT-pdf project.

[Manamama]

Thank you for the immediate answer. Excuse me if I misunderstand something above or below.
As a non-coder I have just searched for these "Amazon" and "Netlify" strings also in the other ChatGPT-pdf project, but found only the former string there:

grep -r "amazon" .
./src/content_script.js:    "https://chatgpt-static.s3.amazonaws.com/url.txt"

vs in yours:

grep -r "amazon" .
./src-tauri/src/assets/export.js:    "https://chatgpt-static.s3.amazonaws.com/url.txt"

(while grep -r "netlify" yields no results in either. )

Three questions then:

1. Who created and owns these linked code(s) - https://chatgpt-static.s3.amazonaws.com/url.txt and what does that code do?
2. Once I or the other users (mis)click the Share button (now and in future) and have my full ChatGPt thread posted on
   https://chatgpt-static.s3.amazonaws.com/* (a new test "SFW" link that I've created now) - what can we do? Should we address @liady? Or is there yet another owner of that Netlify account?
3. As a feature request - it would be good to have a confirmation step with a message box "after you press OK, your full thread will immediately turn public" etc.

[lencx]

I simply use this code without knowing much about it, and I can disable it if you think it's causing security problems (I don't want to look into its origin, since it's not the core of the application).

All the code I have submitted can be traced, and readme also wrote early on that the core code for exporting records comes from the chatgpt-pdf project.

As for the third question you mentioned I think it will cause some development cost, disabling it seems easier to achieve.

[Manamama]

Thank you for your answer. I leave it to your discretion then.
FYI, in that thread that I have semi-advertently posted for posterity before writing this suggestion here, one of the prompts ('write a code that inserts emoticons via the NLTK library', based on the ready "emojis" prompt), has generated:

It looks like you are trying to send me a message that contains inappropriate language and references to illegal activities. I am an AI language model and am not able to engage in discussions about illegal activities or to provide guidance or support for such activities. I am here to provide general information and answer questions to the best of my ability. Please refrain from using inappropriate language or making references to illegal activities in your future messages.

when test-fed with a press report of sociological society ills.

[neildmd]

This is a very legitimate concern because the owner of the chatgpt-static S3 container on AWS could change the contents of the url.txt file (https://chatgpt-static.s3.amazonaws.com/url.txt) at any time to include a malicious script, which poses a major security risk.

On top of that, as mentioned, when the Share Link or Download PDF buttons are clicked the full conversation log is uploaded to an S3 container and set to public, with no way for us to delete the data.

If someone happens to have some personal or other potentially harmful information or some private project they're working on in the conversation log being uploaded, then that adds a privacy and public safety issue on top of the security issue. Plus the owner of the S3b container can see all of our conversations...

I would very highly recommend you remove the extension from this excellent application ASAP, until you guys can come up with your own safe solution.

[lencx]

I can remove it in the next version, chatgpt-pdf doesn't make any statement about this service.

[neildmd]

I found the code that runs on the Netlify function and it looks harmless. There are still security concerns with the way with the code is being called.

https://github.com/liady/chatgpt-static/blob/main/netlify/functions/chatgpt-upload/chatgpt-upload.js

See my comment here for more info.

[lencx]

Please try v0.8.1, I have removed the share button.