Hi Team, After starting airbyte on EC2 instance, ...
# contributing-to-airbyte
n
Hi Team, After starting airbyte on EC2 instance, we did some security testing. Largely looked good. However, we are curious about the curl request involving the URL app.papercups.io when we open the airbyte instance. Details below. Can any please help me understand this curl request?
Copy code
curl -i -s -k -X $'POST' \
    -H $'Host: <http://app.papercups.io|app.papercups.io>' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/json' -H $'Content-Length: 456' -H $'Origin: <https://airbytelocalinstance.com>' -H $'DNT: 1' -H $'Connection: close' -H $'Referer: <https://airbytelocalinstance.com/>' \
    --data-binary $'{\"browser_session\":{\"account_id\":\"74560291-451e-7teb-a802-56706ece528b\",\"customer_id\":\"844059db-be56-490a-8c4a-f323b3e\",\"started_at\":\"2021-07-12T05:08:58.117Z\",\"metadata\":{\"os\":\"Linux\",\"browser\":\"Firefox\",\"time_zone\":\"Asia\",\"current_url\":\"<https://airbytelocalinstance.com/>\",\"host\":\"<http://airbytelocalinstance.com|airbytelocalinstance.com>\",\"pathname\":\"/\",\"browser_version\":89,\"screen_height\":900,\"screen_width\":1600,\"lib\":\"web\",\"insert_id\":\"2ssjm0kucch0swby\",\"time\":1626066538.117}}}' \
    $'<https://app.papercups.io/api/browser_sessions>'
u
Hi, Papercups is an app we use to handle customer support. What's your concern?
u
Concern: security team needs to understand all the outbound calls that are being made from airbyte instance.. Before we start adding connection details for our sources or destination
u
Got it. Yeap I'm 95% sure this doesn't transmit any connection information. Can you confirm @Jared Rhizor (Airbyte)?
v
What do you mean by connection details? We track metadata like the id of the connection (for uniquing purposes), the name of the source/destination, the amount of data used, etc separately via Segment. Papercups doesn’t collect fields that are marked as passwords (and all sensitive fields for connectors are labeled as such).
u
If it’s unacceptable to track non-password fields for your use case, it’s possible to disable papercups via the .env fle
u
thanks for the confirmation @Jared Rhizor (Airbyte) and @Davin Chia (Airbyte)
h
Hi @Jared Rhizor (Airbyte), we were not able to find anything about paper cups in the .env file When we did a grep, we got a lot of results.. Could you please help in getting the exact location to disable papercups
u
u
Hi Davin, we tried disabling this from the env file located here (/home/airbyte/.env)...but still we can see the papercups URL being called
b
Did you bring Airbyte down and up again after changing the value?
u
If so, are you seeing post requests or just the loading of the paper cups script?
u
@Jared Rhizor (Airbyte) we are seeing this request
d
Can you make an issue on Github for this? We’ll try to reproduce and fix.
u
we found a way to fix this use these steps
Copy code
TRACKING_STRATEGY=logging
PAPERCUPS_STORYTIME=disabled
However, our security team has highlighted few more API calls mentioned below and they would like to understand them in more detail. Could you please help
Copy code
fetch("<https://edge.fullstory.com/s/fs.js>", {
  "headers": {
    "accept": "*/*",
    "accept-language": "en-GB,en;q=0.9",
    "sec-ch-ua": "\"Chromium\";v=\"92\", \" Not A;Brand\";v=\"99\", \"Google Chrome\";v=\"92\"",
    "sec-ch-ua-mobile": "?0",
    "sec-fetch-dest": "script",
    "sec-fetch-mode": "cors",
    "sec-fetch-site": "cross-site"
  },
  "referrer": "",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "omit"
});
Copy code
curl '<https://rs.fullstory.com/rec/page>' \
  -H 'authority: <http://rs.fullstory.com|rs.fullstory.com>' \
  -H 'sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36' \
  -H 'content-type: text/plain' \
  -H 'accept: */*' \
  -H 'origin: \
  -H 'sec-fetch-site: cross-site' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-dest: empty' \
  -H 'referer: ' \
  -H 'accept-language: en-GB,en;q=0.9' \
  --data-raw $'{"OrgId":"13AXQ4","UserId":"","Url":","Base":"","Width":1533,"Height":339,"ScreenWidth":1600,"ScreenHeight":900,"Referrer":"","Preroll":2528,"Doctype":"<\u0021DOCTYPE html>","CompiledVersion":"04c8a6d263","CompiledTimestamp":1629915348,"AppId":"720a3e14-be02-4866-a0dd-3b1ea56e54a0"}' \
  --compressed
u
do you have a
FULLSTORY
set?
s
if not, can you set
FULLSTORY=disabled
in your .env?
u
We have disabled it but still the URL is being called
m
Sorry for the slow iteration on this. Been swamped. I tried replicating this. I see that we are downloading fs.js but I’m not seeing any metrics being sent out no matter what actions I’m taking in the UI. At what point was the https://rs.fullstory.com/rec/page request made? I think there are two things that we can do based on the feedback you’ve provided. 1. provide a global opt-out env variable option 2. stop downloading scripts that we’re disabling via opt-out How does that sound going forward?