Help me open source ClubsAll - need a senior security engineer to review code
from vinay_clubsall@lemmy.world to fediverse@lemmy.world on 14 Oct 2024 04:07
https://lemmy.world/post/20828200

Hello everyone, We built clubsall, a frontend for federated content. Since the goal is to help build a reddit competitor, open sourcing is the logical next step.

However, without a review, I am afraid website could get hacked quickly.

Does someone with experience in scanning code for security issues or white hat hacking wants to help increase confidence so I can open source it?

#fediverse

threaded - newest

SorteKanin@feddit.dk on 14 Oct 2024 07:49 next collapse

Obscurity is not security, so you could argue that you should just open source it anyway. Any security holes present are also there right now - the fact that the source code is not available is irrelevant.

But if you insist, it may help if you say what programming language is used.

Blaze@feddit.org on 14 Oct 2024 08:01 next collapse

OP mentioned typescript, next, React in another comment, but no backend language

SorteKanin@feddit.dk on 14 Oct 2024 08:38 collapse

Yea - when it comes to a security review, it’s really the backend that matters the most though.

vinay_clubsall@lemmy.world on 14 Oct 2024 13:50 next collapse

Typescript, Next, Cloudflare

Blaze@feddit.org on 14 Oct 2024 13:52 next collapse

I already mentioned those in another comment (lemmy.world/comment/12877250) with React as well, but those are all frontend languages.

Which languages was used for the backend?

flamingos@feddit.uk on 14 Oct 2024 21:23 collapse

You can write backbends in Typescript, It’s what the *keys use.

Blaze@feddit.org on 14 Oct 2024 21:56 collapse

Thanks, I didn’t know

SorteKanin@feddit.dk on 14 Oct 2024 14:11 collapse

TypeScript for the backend too? Sorry, can’t help with that. But I’d say just open source it anyway.

catloaf@lemm.ee on 14 Oct 2024 13:55 collapse

Agreed. Open source it and let everyone review it.

But even if you don’t have experience, it’s easy to gain. Start with OWASP, find some static code analysis tools, and run fuzzers. It’s a good start.

solrize@lemmy.world on 14 Oct 2024 09:35 next collapse

Why another reddit competitor? There is already Lemmy.

Blaze@feddit.org on 14 Oct 2024 09:36 next collapse

You can have a look at this post for the context: lemmy.world/post/20694710

SorteKanin@feddit.dk on 14 Oct 2024 09:40 next collapse

Well there are in fact other options than Lemmy already, like Mbin and Piefed. This is good - more options means users have more choices and they all still interoperate so everyone can choose what they want without being separated.

vinay_clubsall@lemmy.world on 14 Oct 2024 13:49 collapse

I think lemmy left a lot to be desired.

liaizon@social.wake.st on 15 Oct 2024 00:37 next collapse

#ClubsAll (a threadiverse/lemmy/mbin/piefed web frontend project) want to open source it and are looking for someone to do a code review/security analysis first... Are you into security and the fediverse *and* stuff being open source? Then respond here!

found via this post [https://lemmy.world/post/20828200] on Lemmy by ClubsAll dev @vinay_clubsall

:fediverse: #fediverse #infosec #fedidev #floss
https://clubsall.com

nickwitha_k@lemmy.sdf.org on 15 Oct 2024 07:45 next collapse

As someone who works in software engineering and has experience in multiple languages, infosec, as well as working through compliance with multiple certification standards, I’d be happy to help, provided one of two conditions is met:

  1. You pay me my salary rate, with a minimum of 10 hours, half in advance and report available after receipt of full payment (grew up with tradespeople and a lot about working with clients comes from what I learned from them).

Or,

  1. The code base is fully, and permanently open-sourced, prior to code review. This means licensing under GPL, LGPL, MIT, or BSD licenses, or equivalent, not “source available”.
vinay_clubsall@lemmy.world on 16 Oct 2024 17:23 collapse

Update on this request: A developer approached me and is not only helping me with review and fix security issues. We found quite concerning security issues, so I think the decision to have another person look at this was right one.

We discussed and found that we need to do following work

  1. Redo backend/api so it is more robust, while doing that it will also become Lemmy API compatible
  2. Fix client so it adapt to any API changes
  3. Move from cloudflare workers to docker, so it can be self hosted
  4. Move from D1 to postgres (D1 has 10GB limit, ClubsAll db is already 5GB), so it is scalable
  5. Move production to a VM or k8s cluster so we can host our own DB, backend and frontend instead of CF workers

We have some work to do but will have a good product at the end of it. We will update further once we get this work done. Thanks to everyone to your thoughts and offers to help.

Blaze@feddit.org on 16 Oct 2024 17:38 collapse

Good luck!