From 5fbe580c084a3004293884b4a67fd0be8b2fd7ec Mon Sep 17 00:00:00 2001 From: Ajay Ramachandran Date: Thu, 25 Jul 2019 16:35:08 -0400 Subject: [PATCH 1/5] Hash the userIDs --- index.js | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/index.js b/index.js index 8a9ddc2..1fe6256 100644 --- a/index.js +++ b/index.js @@ -92,6 +92,9 @@ app.get('/api/postVideoSponsorTimes', function (req, res) { return; } + //hash the userID + userID = getHashedUserID(userID); + //x-forwarded-for if this server is behind a proxy let ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress; @@ -156,6 +159,9 @@ app.get('/api/voteOnSponsorTime', function (req, res) { return; } + //hash the userID + userID = getHashedUserID(userID); + //check if vote has already happened db.prepare("SELECT type FROM votes WHERE userID = ? AND UUID = ?").get(userID, UUID, function(err, row) { if (err) console.log(err); @@ -236,16 +242,19 @@ app.get('/api/getViewsForUser', function (req, res) { return; } + //hash the userID + userID = getHashedUserID(userID); + //up the view count by one db.prepare("SELECT SUM(views) as viewCount FROM sponsorTimes WHERE userID = ?").get(userID, function(err, row) { if (err) console.log(err); - if (row != null) { + if (row.viewCount != null) { res.send({ viewCount: row.viewCount }); } else { - res.send(404); + res.sendStatus(404); } }); }); @@ -254,6 +263,17 @@ app.get('/database.db', function (req, res) { res.sendFile("./databases/sponsorTimes.db", { root: __dirname }); }); +function getHashedUserID(userID) { + //hash the userID so no one can get it from the database + let hashedUserID = userID; + //hash it 5000 times, this makes it very hard to brute force + for (let i = 0; i < 5000; i++) { + let hashCreator = crypto.createHash('sha512'); + hashedUserID = hashCreator.update(hashedUserID).digest('hex'); + } + + return hashedUserID; +} //This function will find sponsor times that are contained inside of eachother, called similar sponsor times //Only one similar time will be returned, randomly generated based on the sqrt of votes. From 71527cc4b1185f1605e052c61d4850e0cdfb8495 Mon Sep 17 00:00:00 2001 From: Ajay Ramachandran Date: Thu, 25 Jul 2019 16:36:53 -0400 Subject: [PATCH 2/5] Switched back to sha256, sha512 is just too long. --- index.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/index.js b/index.js index 1fe6256..27b6667 100644 --- a/index.js +++ b/index.js @@ -102,7 +102,7 @@ app.get('/api/postVideoSponsorTimes', function (req, res) { let hashedIP = ip + globalSalt; //hash it 5000 times, this makes it very hard to brute force for (let i = 0; i < 5000; i++) { - let hashCreator = crypto.createHash('sha512'); + let hashCreator = crypto.createHash('sha256'); hashedIP = hashCreator.update(hashedIP).digest('hex'); } @@ -268,7 +268,7 @@ function getHashedUserID(userID) { let hashedUserID = userID; //hash it 5000 times, this makes it very hard to brute force for (let i = 0; i < 5000; i++) { - let hashCreator = crypto.createHash('sha512'); + let hashCreator = crypto.createHash('sha256'); hashedUserID = hashCreator.update(hashedUserID).digest('hex'); } From d7dec47de766e724d24401a1063a622e3fd7c371 Mon Sep 17 00:00:00 2001 From: Ajay Ramachandran Date: Thu, 25 Jul 2019 16:48:13 -0400 Subject: [PATCH 3/5] Made the UUID a hash of the input instead of random. --- index.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/index.js b/index.js index 27b6667..964c49d 100644 --- a/index.js +++ b/index.js @@ -109,7 +109,11 @@ app.get('/api/postVideoSponsorTimes', function (req, res) { startTime = parseFloat(startTime); endTime = parseFloat(endTime); - let UUID = uuidv1(); + //this can just be a hash of the data + //it's better than generating an actual UUID like what was used before + //also better for duplication checking + let hashCreator = crypto.createHash('sha256'); + let UUID = hashCreator.update(videoID + startTime + endTime + userID).digest('hex'); //get current time let timeSubmitted = Date.now(); From 7e041e5b4971385bcd972661c87b632576fe1124 Mon Sep 17 00:00:00 2001 From: Ajay Ramachandran Date: Thu, 25 Jul 2019 16:54:43 -0400 Subject: [PATCH 4/5] Prevented backwards sponsor times. --- index.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/index.js b/index.js index 964c49d..4321bd4 100644 --- a/index.js +++ b/index.js @@ -109,6 +109,11 @@ app.get('/api/postVideoSponsorTimes', function (req, res) { startTime = parseFloat(startTime); endTime = parseFloat(endTime); + if (startTime > endTime) { + //time can't go backwards + res.sendStatus(400); + } + //this can just be a hash of the data //it's better than generating an actual UUID like what was used before //also better for duplication checking From abfbba2ad0ff630a35913d446e116b93a152108c Mon Sep 17 00:00:00 2001 From: Ajay Ramachandran Date: Thu, 25 Jul 2019 16:56:06 -0400 Subject: [PATCH 5/5] Fixed server crash. --- index.js | 1 + 1 file changed, 1 insertion(+) diff --git a/index.js b/index.js index 4321bd4..1b49e3d 100644 --- a/index.js +++ b/index.js @@ -112,6 +112,7 @@ app.get('/api/postVideoSponsorTimes', function (req, res) { if (startTime > endTime) { //time can't go backwards res.sendStatus(400); + return; } //this can just be a hash of the data