Feat/website screenshotting #18
Conversation
|
What about security? For example, will this execute arbitrary javascript? That would allow some form of SSRF. Other than that it is a pretty cool feature, I can imagine it being useful |
Would disabling JavaScript on the headless browser fix this? |
|
Not entirely, GET requests are still possible. For example, by adding an image to the page |
|
With javascript disabled I personally can't think of any security risks, besides of course zeroday vulnerabilities in the various renderers and parsers involved. Running the headless browser in a restricted container would eliminate that concern for me. Can puppeteer work in a client-server setup where the actual browser runs in a restricted environment? It would be a lot more work if you needed to build a client-server model yourself |
|
The entire bot already runs within a docker container (using pterodactyl) |
|
Or you mean to run the browser in a different container, separate from the bot? |
This. The bot deals with sensitive information; it has an API token which grants access to staff channels |
This PR will create screenshots of websites linked in a message and run it through OCR. If people link their website because they want to showcase it being "broken", this can automatically scan them and perform checks.
Technically we could be running checks on the HTML itself (which would definitely be easier) but this allows for better look at the error. The keyword matching could false trigger way easier on a giant html document while this is for the actual visible text on the website.