• EN
Solved

Security of FME Server results download link

  • 29 December 2020
  • 3 replies
  • 28 views
langdonms
Badge

Hello, I'm curious if there are any potential security issues with a data download application via the result download link. How long do these download links last? Can they be scraped by bad actors? It seems even with an authenticated application the results URL is still publicly accessible in this format: 

https://[servername]/fmedatadownload/results/FME_[A-Z0-9staticstring]_[0-9string(datestamp perhaps?)]_[0-9]*4.zip

Is this already an encoded token? 

Thanks!

icon

Best answer by hollyatsafe 30 December 2020, 22:36

View original

3 replies

H
Badge +2

Hi @langdonms​ ,

 

By default, the results from the Data Download Service are available for 24 hours. The Data Download load service writes files to Resources > System>Temp>engineresults and there is a System Cleanup Task in place to remove files in this location when they are older than 1 day. If you'd like you can edit the cleanup task down to hours or minutes so the file is available to download for less time.

 

It is not currently possible to set up the download URL to require authentication so if your FME Server is publicly accessible then if anyone else gained access to the URL within the time before the system clean up they would be able to download its contents. There is an existing enhancement request (internal reference: FMESERVER-8119) but it has not been selected for work at this time. Therefore I would encourage you to post an idea as this will help our product owners gauge interest in the request.

langdonms
Badge

Hi @langdonms​ ,

 

By default, the results from the Data Download Service are available for 24 hours. The Data Download load service writes files to Resources > System>Temp>engineresults and there is a System Cleanup Task in place to remove files in this location when they are older than 1 day. If you'd like you can edit the cleanup task down to hours or minutes so the file is available to download for less time.

 

It is not currently possible to set up the download URL to require authentication so if your FME Server is publicly accessible then if anyone else gained access to the URL within the time before the system clean up they would be able to download its contents. There is an existing enhancement request (internal reference: FMESERVER-8119) but it has not been selected for work at this time. Therefore I would encourage you to post an idea as this will help our product owners gauge interest in the request.

Thanks Holly! Good info

J
Badge +2

Doubt anyone would be able to scrape previous runs. Those URLs are pretty unique.

 

But, if you are really worried about it you could create a shutdown script to repackage the zip file output and set a password. For a password you could use a GUID generator in the workbench to pass to the repackage and then add the GUID variable to the emailer output for the end user to copy/paste in. That's pretty secure and allows the service to still be publicly available.

 

Reply


Community Stats

28,867
Posts
109,983
Replies
36,671
Members
Terms & ConditionsCookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.