sh-dv / hat.sh Goto Github PK

isn't xchacha20poly1305 less secure than AES

During quick security audit I discovered 2 Cross Site Scripting vulnerabilities at hat.sh
First: at filename; second: at password. Payload: <img src=x onerror=alert(1)>.
To reproduce 1 issue, create file named <img src=x onerror=alert(1)> and try to encrypt it using hat.sh (no matter, via Electron or Web app). You will see execution of arbitrary code.
Second issue is not so critical: if you will encrypt any file with password <img src=x onerror=alert(1)> and press "Decryption Key" button, arbitrary javascript code will execute.
In theory, XSS in Electron app can lead to RCE and compromising the user's machine. I will send a PR in a couple of minutes.

I currently self-host hat.sh via docker on my server and want it not to spawn a worker process for every thread of my host CPU (32) because that would be overkill.
How can I reduce the number of worker processes?

I've self hosted the website locally, but how can I regularly update it with the changes made in hat.sh here? I wonder if there's any command to update.

Thank you in advance.

When entering the Public and Private key, it does not allow you to take the next step and writes "This key pair is invalid! Please select keys for different parties."

I recently came across your GitHub page and app and I must say I'm quite impressed with its features and capabilities. However, I noticed that the app does not currently support languages that use a right-to-left (RTL) writing system, such as Persian and Arabic.

As a Persian speaker, I would love to be able to use the app in my native language. I understand that adding RTL support can be challenging, but I'm willing to help in any way I can. I can purchase the necessary copyrighted font myself and add it to the website once the RTL support is implemented. Additionally, I would be happy to assist with translating the app to Persian.

I believe adding RTL support for languages like Persian and Arabic would not only benefit native speakers, but also increase the app's usability for a wider audience. I kindly request that you consider adding RTL support to your app in the near future.

Thank you for your time and consideration.

Hi,

I do have 2 points, one is the error while installing locally:

error - ESLint: Failed to load plugin '@next/next' declared in '.eslintrc » eslint-config-next': Unexpected token '.' Referenced from: /usr/local/bin/hat.sh/node_modules/eslint-config-next/index.js

other point is a question, how do I upgrade hat.sh if a new version arrives?

Thanks in advance,
br,
Mike

Hey there!

I found this awesome project while looking for cross platform apps that support libsodium file encryption/decryption.
It's so great to see things like this coming to the browser so people do not have to worry about installing any tools and using the command line etc. Great job!

Because I could not find any reference to public-private key support: Do you plan on adding something like that?
Of course not asking you to do it for free but just generally asking for a statement whether you would be willing to have support for it in hat.sh :)
That would enable us to get rid of sending the secret alltogether.
I imagine the process something like this:

1. Allow to generate a new key pair and download the files. Maybe the public key can be shown in ASCII format to copy right away.
2. I can then send the public key to the person I want to receive the file from
3. That person can encrypt the file using the public key (so we need another option besides entering a symmetric password)
4. The receiving person can select the private key file (so another option here too) while decrypting
5. Done :-)

Or did you not add support for it for any specific reason?
Thanks and keep up the great work!

Hope to release the command line version

This key pair is invalid! Please select keys for different parties.

My original file size was up to 11GB but then when I run the hat.sh locally, the file resulted in 4.5 GB

On the about page, whenever the hamburger menu on the top left is clicked, the side menu appears and a light greyish-bluish background is applied to all the code snippets on the page. It does not disappear when closing the menu:

Before:

After:

Clearly not a main concern but I thought I would report it anyway.

Is the symmetric encryption algorithm of hat.sh XChaCha20-Poly1305-IETF or xchacha20-poly1305?

With more than 12 characters, I can't even put trust on my eyes for not making any typing mistake for password. I have never get locked out of my files so far, but it's just a matter of time until I do, therefore there is really a need for password repromt when encrypting.

Currently there is no way to encrypt a file with password below 12 characters. It would be great if encrypt anyway option is availabe with lesser character password.

I seem to have a corrupted file that I've encrypted. I was wondering if there is a way to decrypt the remaining parts of the file I have?
I still have the password.

My dns logs and a whois search indicates none of the instances of hat.sh support dnssec.

Since hat.sh uses namecheap it should be fairly easy to implement as they have a setting for it, and can be pretty important on a website like this where confidential files are likely to be uploaded.

When trying to serve the app with Node.JS, as opposed to use Browserify, the app crashes and gives the following error log

internal/modules/cjs/loader.js:583
    throw err;
    ^

Error: Cannot find module '/home/username/hat.sh/app.js'
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:581:15)
    at Function.Module._load (internal/modules/cjs/loader.js:507:25)
    at Function.Module.runMain (internal/modules/cjs/loader.js:742:12)
    at startup (internal/bootstrap/node.js:283:19)
    at bootstrapNodeJSCore (internal/bootstrap/node.js:743:3)

I tried this both before and after installing Browserify. The Browserify version works perfectly and as expected. Do you have any idea why this might be occurring?

I am on Linux, using PopOS (an Ubuntu/Debian based distro) version 19.04. I can confirm the Browserify process is flawless on Linux, so feel free to add that to your description! :)

Any hint on how to fix this? Thanks

lsb_release -a

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.3 LTS
Release:        20.04
Codename:       focal

npm run start

> [email protected] start /root/hat.sh
> next start -p 3991

ready - started server on 0.0.0.0:3991, url: http://localhost:3991
(node:56993) UnhandledPromiseRejectionWarning: ReferenceError: TextEncoder is not defined
    at Object.<anonymous> (/root/hat.sh/node_modules/next/dist/compiled/react-server-dom-webpack/cjs/react-server-dom-webpack-writer.browser.production.min.server.js:9:95)
    at Module._compile (internal/modules/cjs/loader.js:778:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10)
    at Module.load (internal/modules/cjs/loader.js:653:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:593:12)
    at Function.Module._load (internal/modules/cjs/loader.js:585:3)
    at Module.require (internal/modules/cjs/loader.js:692:17)
    at require (internal/modules/cjs/helpers.js:25:18)
    at Object.<anonymous> (/root/hat.sh/node_modules/next/dist/compiled/react-server-dom-webpack/writer.browser.server.js:4:20)
    at Module._compile (internal/modules/cjs/loader.js:778:30)
(node:56993) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1)
(node:56993) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
error - Failed to load next.config.js, see more info here https://nextjs.org/docs/messages/next-config-error
Error: Not supported
    at Object.loadConfig [as default] (/root/hat.sh/node_modules/next/dist/server/config.js:399:74)
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! [email protected] start: `next start -p 3991`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the [email protected] start script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
debug.log

cat debug.log

0 info it worked if it ends with ok
1 verbose cli [ '/usr/bin/node', '/usr/bin/npm', 'run', 'start' ]
2 info using [email protected]
3 info using [email protected]
4 verbose run-script [ 'prestart', 'start', 'poststart' ]
5 info lifecycle [email protected]~prestart: [email protected]
6 info lifecycle [email protected]~start: [email protected]
7 verbose lifecycle [email protected]~start: unsafe-perm in lifecycle true
8 verbose lifecycle [email protected]~start: PATH: /usr/share/npm/node_modules/npm-lifecycle/node-gyp-bin:/root/hat.sh/node_modules/.bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
9 verbose lifecycle [email protected]~start: CWD: /root/hat.sh
10 silly lifecycle [email protected]~start: Args: [ '-c', 'next start -p 3991' ]
11 silly lifecycle [email protected]~start: Returned: code: 1  signal: null
12 info lifecycle [email protected]~start: Failed to exec start script
13 verbose stack Error: [email protected] start: `next start -p 3991`
13 verbose stack Exit status 1
13 verbose stack     at EventEmitter.<anonymous> (/usr/share/npm/node_modules/npm-lifecycle/index.js:332:16)
13 verbose stack     at EventEmitter.emit (events.js:198:13)
13 verbose stack     at ChildProcess.<anonymous> (/usr/share/npm/node_modules/npm-lifecycle/lib/spawn.js:55:14)
13 verbose stack     at ChildProcess.emit (events.js:198:13)
13 verbose stack     at maybeClose (internal/child_process.js:982:16)
13 verbose stack     at Process.ChildProcess._handle.onexit (internal/child_process.js:259:5)
14 verbose pkgid [email protected]
15 verbose cwd /root/hat.sh
16 verbose Linux 5.4.0-91-generic
17 verbose argv "/usr/bin/node" "/usr/bin/npm" "run" "start"
18 verbose node v10.19.0
19 verbose npm  v6.14.4
20 error code ELIFECYCLE
21 error errno 1
22 error [email protected] start: `next start -p 3991`
22 error Exit status 1
23 error Failed at the [email protected] start script.
23 error This is probably not a problem with npm. There is likely additional logging output above.
24 verbose exit [ 1, true ]

I noticed that I can't use the app in the Brave browser. The button "Browse file" has no function. and when I use drag and drop for the file, at the end of the encryption the encrypted file does not download.

Hello,

I've a use case with international users, how do you see the activation of i18n in the application ?

I would be happy to contribute with a first version supporting EN and FR, what do you think ?

Thank you.

Ben

Currently, the app only stores encrypted files locally on the user's computer. It would be useful to add support for cloud storage, such as Google Drive or Dropbox. This would allow users to access their encrypted files from anywhere.

Are there plans to add progressive web app support for hat.sh?

URL: https:/hat.frail.duckdns.org/
Onion: N/A
Country: Brazil
Cloudflare: no

If you need any additional information just let me know.

I used the windows client of this program a long time ago and it works great. At present it seems to be the v1.5 version
Is there any plan to support the v2 version of the windows client?

Hello, my name is CurtisAsia.

• Reason: When I was building a self-hosted version (website), I wanted to put hat.sh in a folder like this: https://example.com/hat.sh/

• Try: Following the Github documentation and compiling with nvm, I see that there are many 404 requests in the Console, and many of them occur in the _next directory and the ico/png resource file; later, I found some things on the Internet, and it appears that next.js will have this type of question (Maybe I won't fix it.. sorry) Later, I tried the Docker self-hosted version, but I still had same issue after using Nginx Proxy.

• Result: How should I deploy it so that it can be accessed in the website's subdirectory? like https://example.com/hat.sh/

Env: Start chromium with flag "--js-flags=--jitless". Decrypt file with password.

Issue: Action spins endlessly. No download happens.

Website: https://www.jiamimao.ga/
Repo: Corydonbyte/jiamimao

Screenshot of the website:

In case @Corydonbyte may delete or modify the repo, I've also forked the repo on CrabAss/jiamimao

Im amazed how the gif works w/ long duration im having a hardtime to figure it out how it works, i search about img link address, but thats applicable for pc users not on android and whenever i hold my video it just "Download Video" Option. Please help.