Hi Team, After starting airbyte on EC2 instance, we did some security testing. Largely looked good. However, we are curious about the curl request involving the URL app.papercups.io when we open the airbyte instance. Details below. Can any please help me understand this curl request?

curl -i -s -k -X $'POST' \
    -H $'Host: <http://app.papercups.io|app.papercups.io>' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/json' -H $'Content-Length: 456' -H $'Origin: <https://airbytelocalinstance.com>' -H $'DNT: 1' -H $'Connection: close' -H $'Referer: <https://airbytelocalinstance.com/>' \
    --data-binary $'{\"browser_session\":{\"account_id\":\"74560291-451e-7teb-a802-56706ece528b\",\"customer_id\":\"844059db-be56-490a-8c4a-f323b3e\",\"started_at\":\"2021-07-12T05:08:58.117Z\",\"metadata\":{\"os\":\"Linux\",\"browser\":\"Firefox\",\"time_zone\":\"Asia\",\"current_url\":\"<https://airbytelocalinstance.com/>\",\"host\":\"<http://airbytelocalinstance.com|airbytelocalinstance.com>\",\"pathname\":\"/\",\"browser_version\":89,\"screen_height\":900,\"screen_width\":1600,\"lib\":\"web\",\"insert_id\":\"2ssjm0kucch0swby\",\"time\":1626066538.117}}}' \
    $'<https://app.papercups.io/api/browser_sessions>'

Hi, Papercups is an app we use to handle customer support. What's your concern?

Concern: security team needs to understand all the outbound calls that are being made from airbyte instance.. Before we start adding connection details for our sources or destination

Got it. Yeap I'm 95% sure this doesn't transmit any connection information. Can you confirm @Jared Rhizor (Airbyte)?

What do you mean by connection details? We track metadata like the id of the connection (for uniquing purposes), the name of the source/destination, the amount of data used, etc separately via Segment. Papercups doesn’t collect fields that are marked as passwords (and all sensitive fields for connectors are labeled as such).

If it’s unacceptable to track non-password fields for your use case, it’s possible to disable papercups via the .env fle

thanks for the confirmation @Jared Rhizor (Airbyte) and @Davin Chia (Airbyte)

Hi @Jared Rhizor (Airbyte), we were not able to find anything about paper cups in the .env file When we did a grep, we got a lot of results.. Could you please help in getting the exact location to disable papercups

I believe all you have to do is this: https://docs.airbyte.io/faq/getting-started#can-i-disable-analytics-in-airbyte

Hi Davin, we tried disabling this from the env file located here (/home/airbyte/.env)...but still we can see the papercups URL being called

Did you bring Airbyte down and up again after changing the value?

If so, are you seeing post requests or just the loading of the paper cups script?

@Jared Rhizor (Airbyte) we are seeing this request

Can you make an issue on Github for this? We’ll try to reproduce and fix.

we found a way to fix this use these steps

TRACKING_STRATEGY=logging
PAPERCUPS_STORYTIME=disabled

However, our security team has highlighted few more API calls mentioned below and they would like to understand them in more detail. Could you please help

fetch("<https://edge.fullstory.com/s/fs.js>", {
  "headers": {
    "accept": "*/*",
    "accept-language": "en-GB,en;q=0.9",
    "sec-ch-ua": "\"Chromium\";v=\"92\", \" Not A;Brand\";v=\"99\", \"Google Chrome\";v=\"92\"",
    "sec-ch-ua-mobile": "?0",
    "sec-fetch-dest": "script",
    "sec-fetch-mode": "cors",
    "sec-fetch-site": "cross-site"
  },
  "referrer": "",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "omit"
});

curl '<https://rs.fullstory.com/rec/page>' \
  -H 'authority: <http://rs.fullstory.com|rs.fullstory.com>' \
  -H 'sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36' \
  -H 'content-type: text/plain' \
  -H 'accept: */*' \
  -H 'origin: \
  -H 'sec-fetch-site: cross-site' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-dest: empty' \
  -H 'referer: ' \
  -H 'accept-language: en-GB,en;q=0.9' \
  --data-raw $'{"OrgId":"13AXQ4","UserId":"","Url":","Base":"","Width":1533,"Height":339,"ScreenWidth":1600,"ScreenHeight":900,"Referrer":"","Preroll":2528,"Doctype":"<\u0021DOCTYPE html>","CompiledVersion":"04c8a6d263","CompiledTimestamp":1629915348,"AppId":"720a3e14-be02-4866-a0dd-3b1ea56e54a0"}' \
  --compressed

do you have a

FULLSTORY

set?

if not, can you set

FULLSTORY=disabled

in your .env?

We have disabled it but still the URL is being called

Sorry for the slow iteration on this. Been swamped. I tried replicating this. I see that we are downloading fs.js but I’m not seeing any metrics being sent out no matter what actions I’m taking in the UI. At what point was the https://rs.fullstory.com/rec/page request made? I think there are two things that we can do based on the feedback you’ve provided. 1. provide a global opt-out env variable option 2. stop downloading scripts that we’re disabling via opt-out How does that sound going forward?

I created https://github.com/airbytehq/airbyte/issues/6586 and https://github.com/airbytehq/airbyte/issues/6587 to follow up.