+3Hello, I'm curious if there are any potential security issues with a data download application via the result download link. How long do these download links last? Can they be scraped by bad actors? It seems even with an authenticated application the results URL is still publicly accessible in this format:
https://[servername]/fmedatadownload/results/FME_[A-Z0-9staticstring]_[0-9string(datestamp perhaps?)]_[0-9]*4.zipIs this already an encoded token?
Thanks!
Best answer by hollyatsafe
Hi @langdonms ,
By default, the results from the Data Download Service are available for 24 hours. The Data Download load service writes files to Resources > System>Temp>engineresults and there is a System Cleanup Task in place to remove files in this location when they are older than 1 day. If you'd like you can edit the cleanup task down to hours or minutes so the file is available to download for less time.
It is not currently possible to set up the download URL to require authentication so if your FME Server is publicly accessible then if anyone else gained access to the URL within the time before the system clean up they would be able to download its contents. There is an existing enhancement request (internal reference: FMESERVER-8119) but it has not been selected for work at this time. Therefore I would encourage you to post an idea as this will help our product owners gauge interest in the request.
Hi @langdonms ,
By default, the results from the Data Download Service are available for 24 hours. The Data Download load service writes files to Resources > System>Temp>engineresults and there is a System Cleanup Task in place to remove files in this location when they are older than 1 day. If you'd like you can edit the cleanup task down to hours or minutes so the file is available to download for less time.
It is not currently possible to set up the download URL to require authentication so if your FME Server is publicly accessible then if anyone else gained access to the URL within the time before the system clean up they would be able to download its contents. There is an existing enhancement request (internal reference: FMESERVER-8119) but it has not been selected for work at this time. Therefore I would encourage you to post an idea as this will help our product owners gauge interest in the request.
+3Hi @langdonms ,
By default, the results from the Data Download Service are available for 24 hours. The Data Download load service writes files to Resources > System>Temp>engineresults and there is a System Cleanup Task in place to remove files in this location when they are older than 1 day. If you'd like you can edit the cleanup task down to hours or minutes so the file is available to download for less time.
It is not currently possible to set up the download URL to require authentication so if your FME Server is publicly accessible then if anyone else gained access to the URL within the time before the system clean up they would be able to download its contents. There is an existing enhancement request (internal reference: FMESERVER-8119) but it has not been selected for work at this time. Therefore I would encourage you to post an idea as this will help our product owners gauge interest in the request.
Thanks Holly! Good info
+2Doubt anyone would be able to scrape previous runs. Those URLs are pretty unique.
But, if you are really worried about it you could create a shutdown script to repackage the zip file output and set a password. For a password you could use a GUID generator in the workbench to pass to the repackage and then add the GUID variable to the emailer output for the end user to copy/paste in. That's pretty secure and allows the service to still be publicly available.
