Skip to main content
Solved

Security of FME Server results download link

  • December 29, 2020
  • 3 replies
  • 78 views

langdonms
Contributor
Forum|alt.badge.img+3

Hello, I'm curious if there are any potential security issues with a data download application via the result download link. How long do these download links last? Can they be scraped by bad actors? It seems even with an authenticated application the results URL is still publicly accessible in this format: 

https://[servername]/fmedatadownload/results/FME_[A-Z0-9staticstring]_[0-9string(datestamp perhaps?)]_[0-9]*4.zip

Is this already an encoded token? 

Thanks!

Best answer by hollyatsafe

Hi @langdonms​ ,

 

By default, the results from the Data Download Service are available for 24 hours. The Data Download load service writes files to Resources > System>Temp>engineresults and there is a System Cleanup Task in place to remove files in this location when they are older than 1 day. If you'd like you can edit the cleanup task down to hours or minutes so the file is available to download for less time.

 

It is not currently possible to set up the download URL to require authentication so if your FME Server is publicly accessible then if anyone else gained access to the URL within the time before the system clean up they would be able to download its contents. There is an existing enhancement request (internal reference: FMESERVER-8119) but it has not been selected for work at this time. Therefore I would encourage you to post an idea as this will help our product owners gauge interest in the request.

View original
Did this help you find an answer to your question?

3 replies

Forum|alt.badge.img+2
  • Best Answer
  • December 30, 2020

Hi @langdonms​ ,

 

By default, the results from the Data Download Service are available for 24 hours. The Data Download load service writes files to Resources > System>Temp>engineresults and there is a System Cleanup Task in place to remove files in this location when they are older than 1 day. If you'd like you can edit the cleanup task down to hours or minutes so the file is available to download for less time.

 

It is not currently possible to set up the download URL to require authentication so if your FME Server is publicly accessible then if anyone else gained access to the URL within the time before the system clean up they would be able to download its contents. There is an existing enhancement request (internal reference: FMESERVER-8119) but it has not been selected for work at this time. Therefore I would encourage you to post an idea as this will help our product owners gauge interest in the request.


langdonms
Contributor
Forum|alt.badge.img+3
  • Author
  • Contributor
  • December 31, 2020
hollyatsafe wrote:

Hi @langdonms​ ,

 

By default, the results from the Data Download Service are available for 24 hours. The Data Download load service writes files to Resources > System>Temp>engineresults and there is a System Cleanup Task in place to remove files in this location when they are older than 1 day. If you'd like you can edit the cleanup task down to hours or minutes so the file is available to download for less time.

 

It is not currently possible to set up the download URL to require authentication so if your FME Server is publicly accessible then if anyone else gained access to the URL within the time before the system clean up they would be able to download its contents. There is an existing enhancement request (internal reference: FMESERVER-8119) but it has not been selected for work at this time. Therefore I would encourage you to post an idea as this will help our product owners gauge interest in the request.

Thanks Holly! Good info


Forum|alt.badge.img+2

Doubt anyone would be able to scrape previous runs. Those URLs are pretty unique.

 

But, if you are really worried about it you could create a shutdown script to repackage the zip file output and set a password. For a password you could use a GUID generator in the workbench to pass to the repackage and then add the GUID variable to the emailer output for the end user to copy/paste in. That's pretty secure and allows the service to still be publicly available.

 


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings