How to protect your (replit) database from pesky exploiters

jpg · April 8, 2023, 7:44am

Although any database can eventually be penetrated, you can counter it.

For example, I have to use replit Database instead of db so that databases are synced properly. However, when you define your REPLIT_DB_URL (you can find yours by typing in the console: echo $REPLIT_DB_URL) some people forget to not show people their database key.

Old method: Hide the variable inside of .env

New method: Secrets tab.

“Secrets” allow you to define variables that are not present in your program.

db = Database("https://kv.replit.com/v0/eyJhbGciOiJIUzUxMiIsImlzcyI6ImNvbm1hbiIsImtpZCI6InByb2Q6MSIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJjb25tYW4iLCJleHAiOjE2ODEwNTAzMDcsImlhdCI6MTY4MDkzODcwNywiZGF0YWJhc2VfaWQiOiJmYWQ3ODhhZi1lNDEzLTQ1NzEtOTdlZS1jOTZkOTZjYjdhZmIiLCJ1c2VyIjoiLWpwZyIsInNsdWciOiJkYi1leGFtcGxlIn0._RJdFyTS9qA7By3aCYKRbSiMriO9N5htPl3GBwc8kXnbNkmbYJxVe3UeKf93p4KKjlOTzFguVMomrBQJ8NzUEQ")

to:

db = Database(db_key) # db_key defined in secrets

or:

from os import environ
db = Database(environ["REPL_DB_URL"])

However, you are not safe quite yet.

If you are building yourself an “OS” in replit and you plan to give them console access, either:

dont use replit database for storing important information
block access to that command

To do method two, follow this code example:

Python:

from os import system
while True: # or however you plan to do this
    user = input(">> ")
    if not user == "echo $REPLIT_DB_URL":
        system(user)
    else:
        print("Access denied.")

Method one is less straight-forward, you will have to configure an external database of some sort.
Of course; different methods of getting into your database exist but this prevents common types of attacks. Try it out yourself:
https://replit.com/@-jpg/db-example

Solution:
https://replit.com/@-jpg/db-exploit

QwertyQwerty88 · April 8, 2023, 7:47am

This… Doesn’t go in #general:showcase. I get you’re proud, but it is not showing off any Repl or Theme. So please let me move it to #general with the #resource tag. Thanks.

Other than that, nice guide!

jpg · April 8, 2023, 7:48am

oh my bad i originally intended this to be different

dragonhunter1 · April 8, 2023, 3:22pm

jpg:

from os import system
while True: # or however you plan to do this
    user = input(">> ")
    if not user == "echo $REPLIT_DB_URL":
        system(user)
    else:
        print("Access denied.")

Hmmm, what about CTRL+C and then

>>> from os import system; system("echo $REPLIT_DB_URL")

I am pretty sure you would get db_key is undefined.

And the examples don’t really work? This whole thing is kinda confusing ngl.

bigminiboss · April 8, 2023, 4:01pm

there’s really no way to protect it unless replit does more encrypting for us because environ doesn’t update (don’t have time to explain but it doesn’t)

dragonhunter1 · April 8, 2023, 4:02pm

That odd, you could always just change the [env] part of .replit automatically. (Although that is insecure)

CoderElijah · April 8, 2023, 4:04pm

@Firepup650 and I were playing around with this once and they made some sort of JS encryption thing for it. They could explain it better than I can.

bigminiboss · April 8, 2023, 4:04pm

yeah the reason I would use env is for security; previously I would have directed to repl_identity but that got ground pounded into insecurity heck

9pfs1 · April 8, 2023, 5:01pm

It’s easy to bypass restrictions and access the replit DB URL anyway. For example:

ls /proc
# Replace with a process ID you see that isn't 1
cat /proc/2/environ|tr "\0" "\n"|grep REPLIT_DB_URL

If that was restricted… Well, base64 (and base32) exist, and the user has network access, so they can download and execute scripts.

jpg · April 8, 2023, 7:15pm

Yes, I did not claim this could stop anyone. That was just so you could see an example of how to do such. You cut off my entire comment, db_key is defined.

jpg · April 8, 2023, 7:18pm

Yes, indeed this does not stop all types of attacks; but just people who are inexperienced cannot get into your DB easily. Including that and what @dragonhunter1 said, you can further add restricted commands; or outright just detect if the output from a command is/has your replit db key.

9pfs1 · April 8, 2023, 7:19pm

No matter what you do, if you give them a shell, they can get your replit db key. Even if they have to launch a subprocess that kills your webserver and starts code-server without authentication, if they can execute a command, they will get it eventually.

jpg · April 8, 2023, 7:21pm

Yes, as I said. Once again: Common attacks can be prevented.

This guide is just to stop pesky noobs trying to exploit your db. Of course; experienced people can get in.

9pfs1 · April 8, 2023, 7:22pm

The best way to prevent attacks is to never give them a shell in the first place, or to just have them fork your repl.

jpg · April 8, 2023, 7:23pm

^^^

this guide is just for a specific case where this should be needed.

9pfs1 · April 8, 2023, 7:24pm

If the repl doesn’t run a webserver, they can’t access your environment variables from the cover page.

jpg · April 8, 2023, 7:29pm

Lets move this to Messages

CoderElijah · April 8, 2023, 8:00pm

Then the only way they can edit your code is if you make some sort of web GUI to edit it with a login page. I choose carefully who I invite to Repls.

9pfs1 · April 8, 2023, 8:00pm

They are intentionally putting the replit db url in their code, apparently

jpg · April 8, 2023, 11:00pm

Hey 9pfs1, would you like to hare what you are talking about? Or, we could keep this to messages.