Skip to content
Sign UpLog In
This post is read-only. Explore Repls and connect with other creators on Community.View Community
The info in this post might be out of date, check out our docs instead. View docs
1

What are the security properties of databases?

wh0
wh0

Specifically for these public repls, is the database sort of... wide open? More specifically:

  1. Can any visitor arbitrarily read the entire database?
  2. Can any visitor arbitrarily modify the entire database?

Or put another way, would I be able to write some code in a repl that limits what visitors can see and do?

Tangentially related: https://blog.repl.it/database in the announcement of this database feature, there's an example where visitors can click a button for an emoji to increment a count. But the count for the heart is a number like 1000154. Would one infer from this that a visitor was able to increase its count by a million instead of one at a time as the code would normally allow?

Also tangentially related: I notice that any viewer can edit the code in my repl, dunno if that'll have any bearing on the question.

2 years ago

Voters

Comments

TopNew
1
Coder100
Coder100

Not at all. Quite the opposite. Only viewers who can edit your repl can even make changes to the database (the .env file is hidden for non-owners). This means terminal applications (.repl.run) will not work.

The fix would be to use an HTTP server for the user to use, and process everything normally otherwise. This works because the user doesn't run the repl, and thus the .env file does not get hidden.

2 years ago