undefined | Better HN

0 pointsbaicunko6y ago0 comments

Thank you for the comments. I agree with you, I will decrease how long the file is in the server (I just hit 40gb from hacker news) as well as implement rate limiting to prevent any brute force

0 comments

9 comments · 2 top-level

lewiscollard6y ago· 7 in thread

Rate limiting (if by that you mean at the firewall or the web server) is not the way to do it. That shifts the problem somewhere else in the stack, into a place that isn't under version control in the same repository.

Consider: If you moved this on to another server, would you remember to enable rate limiting there? If someone else uses your code, will they know to enable rate limiting?

Rate limiting isn't a bad idea, but your security should not depend on it, especially as you have a way of securing it in your application. base64.b16encode(os.urandom(8)) will give you a 64-bit, filename-safe, as-close-to-random-as-reasonable suffix that should be long enough to make it brute-force-proof :)

The same reasoning applies to the cron job (I presume) that is cleaning your files - that's something you have to remember to set up for future (re-)deployments.

Edit: I'd also like to add that showing your code on HN takes bravery and this is, in fact, a neat tool that solves a problem I really wish didn't exist. So, good work on both counts :)

bwindsor6y ago

Or use secrets.token_urlsafe https://docs.python.org/3/library/secrets.html#secrets.token...

lewiscollard6y ago

Hey thanks - somehow, I entirely missed this being a Thing in the stdlib in 3. :) I've used it in my PR on baicunko's repo.

mahathu6y ago

I know this doesn't really add much to the discussion, I just wanted to let you know I really, really appreciate HN over other sites for comments like this. Ones that help you learn something new in a really intuitive and on top of that "non-condescending" way (for lack of a better word I can think of). Thank you!

lewiscollard6y ago

Hey, I know I was not as positive & encouraging as I should have been initially, hence the edit on the end. But thank you for the kind words mate, that actually means a lot to me. <3

baicunkoOP6y ago

thanks! took me quite a while to prepare as I read a bunch of other servers failing catastrophically when posting on HN due to the sheer amount of traffic.

I will start working on your comments throughout the weekend, I agree with most of them. Would love for you to follow the github page for any other comments you may have, all are appreciated

lewiscollard6y ago

It was while reading my above comments that I realised I should have shut up and contributed code instead, because that's definitely more helpful than being critical on HN, especially to a newcomer & their first project.

So that is what I've decided to do! First step: a PR coming out of getting this up and running on my Ubuntu box. :)

1 more reply

OriginalPenguin6y ago

Or use a uuid4 for the suffix.

tinix6y ago

https://docs.python.org/3/library/tempfile.html

  >>> tempfile.mkstemp(suffix='.pdf')
  (4, '/tmp/tmp0g7l3uq7.pdf')

one could take it a step further...

  >>> tempfile.mkstemp(suffix='.pdf', prefix=uuid.uuid4().hex)
  (5, '/tmp/7b7881400a2348bfae63d37b970d4489pqhz_1g2.pdf')

j / k navigate · click thread line to collapse

0 comments

9 comments · 2 top-level

lewiscollard6y ago· 7 in thread

Consider: If you moved this on to another server, would you remember to enable rate limiting there? If someone else uses your code, will they know to enable rate limiting?

The same reasoning applies to the cron job (I presume) that is cleaning your files - that's something you have to remember to set up for future (re-)deployments.

Edit: I'd also like to add that showing your code on HN takes bravery and this is, in fact, a neat tool that solves a problem I really wish didn't exist. So, good work on both counts :)

bwindsor6y ago

Or use secrets.token_urlsafe https://docs.python.org/3/library/secrets.html#secrets.token...

lewiscollard6y ago

Hey thanks - somehow, I entirely missed this being a Thing in the stdlib in 3. :) I've used it in my PR on baicunko's repo.

mahathu6y ago

lewiscollard6y ago

Hey, I know I was not as positive & encouraging as I should have been initially, hence the edit on the end. But thank you for the kind words mate, that actually means a lot to me. <3

baicunkoOP6y ago

thanks! took me quite a while to prepare as I read a bunch of other servers failing catastrophically when posting on HN due to the sheer amount of traffic.

I will start working on your comments throughout the weekend, I agree with most of them. Would love for you to follow the github page for any other comments you may have, all are appreciated

lewiscollard6y ago

So that is what I've decided to do! First step: a PR coming out of getting this up and running on my Ubuntu box. :)

1 more reply

OriginalPenguin6y ago

Or use a uuid4 for the suffix.

tinix6y ago

https://docs.python.org/3/library/tempfile.html

  >>> tempfile.mkstemp(suffix='.pdf')
  (4, '/tmp/tmp0g7l3uq7.pdf')

one could take it a step further...

  >>> tempfile.mkstemp(suffix='.pdf', prefix=uuid.uuid4().hex)
  (5, '/tmp/7b7881400a2348bfae63d37b970d4489pqhz_1g2.pdf')

j / k navigate · click thread line to collapse