https://linen.dev logo
n

Nitish Amnerkar

07/12/2021, 5:55 AM
Hi Team, After starting airbyte on EC2 instance, we did some security testing. Largely looked good. However, we are curious about the curl request involving the URL app.papercups.io when we open the airbyte instance. Details below. Can any please help me understand this curl request?
Copy code
curl -i -s -k -X $'POST' \
    -H $'Host: <http://app.papercups.io|app.papercups.io>' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/json' -H $'Content-Length: 456' -H $'Origin: <https://airbytelocalinstance.com>' -H $'DNT: 1' -H $'Connection: close' -H $'Referer: <https://airbytelocalinstance.com/>' \
    --data-binary $'{\"browser_session\":{\"account_id\":\"74560291-451e-7teb-a802-56706ece528b\",\"customer_id\":\"844059db-be56-490a-8c4a-f323b3e\",\"started_at\":\"2021-07-12T05:08:58.117Z\",\"metadata\":{\"os\":\"Linux\",\"browser\":\"Firefox\",\"time_zone\":\"Asia\",\"current_url\":\"<https://airbytelocalinstance.com/>\",\"host\":\"<http://airbytelocalinstance.com|airbytelocalinstance.com>\",\"pathname\":\"/\",\"browser_version\":89,\"screen_height\":900,\"screen_width\":1600,\"lib\":\"web\",\"insert_id\":\"2ssjm0kucch0swby\",\"time\":1626066538.117}}}' \
    $'<https://app.papercups.io/api/browser_sessions>'
u

user

07/12/2021, 6:03 AM
Hi, Papercups is an app we use to handle customer support. What's your concern?
u

user

07/12/2021, 6:21 AM
Concern: security team needs to understand all the outbound calls that are being made from airbyte instance.. Before we start adding connection details for our sources or destination
u

user

07/12/2021, 6:24 AM
Got it. Yeap I'm 95% sure this doesn't transmit any connection information. Can you confirm @Jared Rhizor (Airbyte)?
v

Vaibhav Kumar

07/12/2021, 4:44 PM
What do you mean by connection details? We track metadata like the id of the connection (for uniquing purposes), the name of the source/destination, the amount of data used, etc separately via Segment. Papercups doesn’t collect fields that are marked as passwords (and all sensitive fields for connectors are labeled as such).
u

user

07/12/2021, 4:46 PM
If it’s unacceptable to track non-password fields for your use case, it’s possible to disable papercups via the .env fle
u

user

07/14/2021, 3:39 PM
thanks for the confirmation @Jared Rhizor (Airbyte) and @Davin Chia (Airbyte)
h

Harshith (Airbyte)

07/17/2021, 9:03 AM
Hi @Jared Rhizor (Airbyte), we were not able to find anything about paper cups in the .env file When we did a grep, we got a lot of results.. Could you please help in getting the exact location to disable papercups
u

user

07/19/2021, 2:51 AM
u

user

09/22/2021, 5:52 PM
Hi Davin, we tried disabling this from the env file located here (/home/airbyte/.env)...but still we can see the papercups URL being called
b

Blake Enyart

09/22/2021, 6:10 PM
Did you bring Airbyte down and up again after changing the value?
u

user

09/22/2021, 6:11 PM
If so, are you seeing post requests or just the loading of the paper cups script?
u

user

09/23/2021, 5:43 PM
@Jared Rhizor (Airbyte) we are seeing this request
d

Dustin Salmons

09/23/2021, 5:44 PM
Can you make an issue on Github for this? We’ll try to reproduce and fix.
u

user

09/28/2021, 6:27 AM
we found a way to fix this use these steps
Copy code
TRACKING_STRATEGY=logging
PAPERCUPS_STORYTIME=disabled
However, our security team has highlighted few more API calls mentioned below and they would like to understand them in more detail. Could you please help
Copy code
fetch("<https://edge.fullstory.com/s/fs.js>", {
  "headers": {
    "accept": "*/*",
    "accept-language": "en-GB,en;q=0.9",
    "sec-ch-ua": "\"Chromium\";v=\"92\", \" Not A;Brand\";v=\"99\", \"Google Chrome\";v=\"92\"",
    "sec-ch-ua-mobile": "?0",
    "sec-fetch-dest": "script",
    "sec-fetch-mode": "cors",
    "sec-fetch-site": "cross-site"
  },
  "referrer": "",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "omit"
});
Copy code
curl '<https://rs.fullstory.com/rec/page>' \
  -H 'authority: <http://rs.fullstory.com|rs.fullstory.com>' \
  -H 'sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36' \
  -H 'content-type: text/plain' \
  -H 'accept: */*' \
  -H 'origin: \
  -H 'sec-fetch-site: cross-site' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-dest: empty' \
  -H 'referer: ' \
  -H 'accept-language: en-GB,en;q=0.9' \
  --data-raw $'{"OrgId":"13AXQ4","UserId":"","Url":","Base":"","Width":1533,"Height":339,"ScreenWidth":1600,"ScreenHeight":900,"Referrer":"","Preroll":2528,"Doctype":"<\u0021DOCTYPE html>","CompiledVersion":"04c8a6d263","CompiledTimestamp":1629915348,"AppId":"720a3e14-be02-4866-a0dd-3b1ea56e54a0"}' \
  --compressed
u

user

09/28/2021, 4:03 PM
do you have a
FULLSTORY
set?
s

Sawyer Waugh

09/28/2021, 4:03 PM
if not, can you set
FULLSTORY=disabled
in your .env?
u

user

09/29/2021, 4:12 AM
We have disabled it but still the URL is being called
m

Marc García

09/30/2021, 8:34 PM
Sorry for the slow iteration on this. Been swamped. I tried replicating this. I see that we are downloading fs.js but I’m not seeing any metrics being sent out no matter what actions I’m taking in the UI. At what point was the https://rs.fullstory.com/rec/page request made? I think there are two things that we can do based on the feedback you’ve provided. 1. provide a global opt-out env variable option 2. stop downloading scripts that we’re disabling via opt-out How does that sound going forward?
2 Views