pull down to refresh

Stacker News Bug Report


Description:

Based on my testing, it appears that users can upload images using the File Upload feature during comment creation without any limitations or associated costs in sats. This unrestricted functionality could potentially be exploited by malicious attackers to inundate the server's hard disk space with spam image uploads.

Reproduction Steps:

  1. Access the comment creation section.
  2. Click the File Upload feature.
  3. Select a folder with a shit load of images and upload them.
  4. Spam step 3 or have a script to do it for you.

Actual Result:

The current system allows users to upload images without any restrictions.

Expected Result:

Users should be limited in their ability to spam file upload. An easy solution could be having to pay a small fee for each upload.

Impact:

This vulnerability (i guess?) poses a risk of server resource due to potential abuse by malicious actors.
Good catch but a feature, not a bug. We do this intentionally for UX reasons. See discussion in the image upload PR for more details.
tldr: We decided to simply delete unused anon uploads within 1 hour and unused uploads from stackers within 24 hours.