-
Notifications
You must be signed in to change notification settings - Fork 154
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
****Not private**SECURITY-ISSUE*** DO NOT USE UNTIL CHANGES ARE MADE*** #43
Comments
I would recommand allow people to add their own links or save the html file to local |
There is no cause for alarm here. You clearly didn't make any analysis, pure speculation. I can confirm that |
Whether sensitive data is sent to that Netlify function or not would rather seem to depend on whether any sensitive data was included in the chat itself. With that in mind it might indeed be nice to warn users that their data is being sent to a third party in order to be shared. |
Ok, i am confused. An alert like |
1# - The danger here is that you not in control of the chats that are been sent to the s3 bucket, 2# What if you want to delete the chat because you had forgot that you had put your password or sensitive information - you can't #3 it is important to understand that data is being harvested here... lastly why can't the code be transparent enough so you could add you own s3 bucket or storj or even your own server Listen i am not saying that this is what they would do, but i am suggesting for them to be open and trust worthly. |
Agreed. Vouch |
Hello guys, thank you for all your information about security issues. It's good to have in mind this kind of things. |
@4m0ses could you give a starting point for where these changes would need to be made? I'm happy to take a look at it. |
async function sendRequest() { |
I believe this where the code goes and send the html file and returns with a link @trydalch async function sendRequest() {
const data = getData();
const uploadUrlResponse = await fetch(
"https://chatgpt-static.s3.amazonaws.com/url.txt"
);
const uploadUrl = await uploadUrlResponse.text();
fetch(uploadUrl, {
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify(data),
})
.then((response) => response.json())
.then((data) => {
window.open(data.url, "_blank");
});
} |
Why don't you just remove |
@D-32 @liady @adrianmarinwork it is important to note that the current implementation of the code uploads data to the author's S3 bucket. While this may be a convenient solution for the author, it poses a potential security risk, as it could allow the author to access sensitive data, such as passwords or API keys, that users may inadvertently include in their data.
To address this concern, it would be advisable to modify the code so that it does not upload user data to a third-party service, such as the author's S3 bucket. One potential solution could be to modify the code so that it saves the user's data locally on their own machine instead of uploading it to a remote server. This would help ensure that the user's data remains secure and under their control.
It is important to be mindful of potential security risks when using third-party software or services. Users should always carefully review the code and configuration of any software or service they use, and take appropriate steps to secure their data and systems.
The text was updated successfully, but these errors were encountered: