Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

URL shortening / anonymising #4161

Open
Dinth opened this issue Jul 26, 2024 · 10 comments
Open

URL shortening / anonymising #4161

Dinth opened this issue Jul 26, 2024 · 10 comments
Labels
Feature-Request Issue is a feature request

Comments

@Dinth
Copy link

Dinth commented Jul 26, 2024

Is your feature request related to a problem? Please describe.

I would like to setup RSS bridge generating some feeds (for example from OpenCVE) for use at work. Unfortunately, currently the feeds generated by rss-bridge contain all the details (like access credentials to the third party) within the url, so adding the link to rss-bridge feed into some scripts at work would also require me to share my OpenCVE credentials with my workmates.
Additionally, it opens rss-bridge to abuse in such scenario, when someone can freely modify the feed url to use it for personal reasons or even potentially inject some code through GET method.
Currently OpenCVE is a problem, but also i had some more advanced uses of rss-bridge in mind which unfortunately i wont be able to do in the current form (as they wont be share'able).

Describe the solution you'd like
I think that the easiest solution would be adding an pseudo-"url shortening" functionality to rss-bridge. Each generated feed within rss-bridge could have an ID assigned (lets say five-six random characters) and going to <rss-bridge.domain>/ would allow accessing it. Such access could not require credentials, while accessing the main (admin) url, would.

Describe alternatives you've considered
I was not able to think about any other alternatives.

@Dinth Dinth added the Feature-Request Issue is a feature request label Jul 26, 2024
@dvikan
Copy link
Contributor

dvikan commented Jul 28, 2024

a solution: bridges can have private config

see https://rss-bridge.github.io/rss-bridge/Bridge_Specific

@NotsoanoNimus
Copy link
Contributor

@Dinth The branch from the PR above (#4171) will most likely get you what you're looking for out-of-the-box. Give it a read and see if that's what you'd like to use.

@Dinth
Copy link
Author

Dinth commented Aug 1, 2024

@NotsoanoNimus Legend!

@Dinth
Copy link
Author

Dinth commented Aug 10, 2024

@NotsoanoNimus what happened with the PR? I was just about to clone your repository :(

@NotsoanoNimus
Copy link
Contributor

@NotsoanoNimus what happened with the PR? I was just about to clone your repository :(

Howdy, sorry about the confusion. If you're looking for this feature, you can pull from my divergent fork of this project. It has URL encryption/masking built in, but still left as an optional feature to enable.

@Mynacol
Copy link
Contributor

Mynacol commented Aug 12, 2024

I was just looking at the PR before I noticed it was closed by its author.
Protecting credentials is of course important and the existing private config method is only available to self-hosters. So there is a hole to be filled.

However, a part of me thinks generally encrypting the URL is against the spirit of this project, as it prevents users modifying the parameters. In the meantime, supporting the protection of credentials in all bridges with the private config method is a good idea and I hope self-hosting is easy enough.

@Dinth
Copy link
Author

Dinth commented Aug 12, 2024

@NotsoanoNimus: would it be possible for you to create a docker repo on docker hub?

@Mynacol i think that its not only this project's spirit, but generally an OSS spirit to give users freedom of using software as they're pleased. But i believe that currently (and sorry i dont mean to attack anyone - rss-bridge is amazing piece of software and i appreciate every line of code in it!), the freedom of using rss-bridge is severly limited: I can either do an instance only for myself, or fully open the instance for everyone around the world - not only to access it, but to use it in any way they want. And that's only if i have unlimited bandwidth on my internet connection, because with fully public instance people may and probably will abuse it. There's not much in between. Not to mention using rss-bridge in a more professional environment" let's say i would like to host something on a corporate server, but someone will modify the url, generating a feed for some illegal content and share the link (to a company owned subdoimain) online.

@mruac
Copy link
Contributor

mruac commented Dec 15, 2024

@Dinth The branch from the PR above (#4171) will most likely get you what you're looking for out-of-the-box. Give it a read and see if that's what you'd like to use.

I like this solution. In addition to shortening the long URL from its multiple parameters, it will also encrypt the token password used to access the bridge (as it was discussed previously, using token over HTTP username and passwords are preferred by some as their feed reader does not support HTTP login).

This will definitely save me the effort of rotating out my instance's token and updating my feed reader's RSS-Bridge feeds the next time someone hijacks a domain I have a bridge on.

@Mynacol
Copy link
Contributor

Mynacol commented Dec 15, 2024

@mruac

This will definitely save me the effort of rotating out my instance's token and updating my feed reader's RSS-Bridge feeds the next time someone hijacks a domain I have a bridge on.

Do you use domains without owning them and people register them "behind your back"? Then you're clearly using domains wrong. Either register domains you use yourself or use special top-level domains that are standardized as "for local use". E.g. *.internal or *.home.arpa (Source and source). Or are you not using transport encryption (TLS)? That is clearly not a rss-bridge problem (although this issue, shortening/protecting the URLs, is of course relevant)

@mruac
Copy link
Contributor

mruac commented Dec 16, 2024

I have a Linode instance that is accessed via DuckDNS.
I'm referring to the FurAffinity domain hijack around the time of their owner's passing.
I am realising now that while they would have seen activity coming from Linode to scrape the site but it would not have included my RSS-Bridge's token. Only my web hosted feed reader would have that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature-Request Issue is a feature request
5 participants