8000 Resource Upload Policy Needs Stricter Validation · Issue #29 · upstash/context7 · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Resource Upload Policy Needs Stricter Validation #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
eladcandroid opened this issue Apr 20, 2025 · 4 comments
Open

Resource Upload Policy Needs Stricter Validation #29

eladcandroid opened this issue Apr 20, 2025 · 4 comments
Labels
docs parsing

Comments

@eladcandroid
Copy link

The current system allows unrestricted uploading of any resource type, which poses security risks and results in duplicate entries. This permissive policy could be exploited for malicious purposes.

Image

We should implement stricter validation rules to ensure only appropriate resources can be uploaded while preventing duplication.
@enesakar
Copy link
Contributor

you are absolutely right but it is hard to define what is appropriate without human intervention. as a start, we plan to intrduce approved flag.
if a docs approved, then it will be listed in mcp, apis and web.
if it is not approved it will be only available in web.

a docs will be approved if it has more than 30 github stars.

wdyt?

@lirantal
Copy link

a docs will be approved if it has more than 30 github stars.

Stars aren't a good proxy for legitimate reputation metric because they can be easily farmed. I suggest figuring out a different strategy for it.

@enesakar
Copy link
Contributor

a docs will be approved if it has more than 30 github stars.

Stars aren't a good proxy for legitimate reputation metric because they can be easily farmed. I suggest figuring out a different strategy for it.

agreed, open to suggestions?

@lirantal
Copy link

If it was straight-forward we wouldn't have an npm or PyPI malware attacks every Sunday ;-)

Hard to say without a deep-dive and I haven't spent more than a few minutes looking at this and context7 but perhaps an easy pull it running heuristics on the underlying artifacts. For example:

  • stars would be just one factor out of 10
  • others would be the user account and how much reputation you can calc for it
  • repo activity

Other security controls can be:

  • pin repos to specific versions/hash
  • don't allow typosquatting

@enesakar enesakar added enhancement New feature or request and removed enhancement New feature or request labels Apr 21, 2025
@enesgules enesgules added website Related to context7.com docs parsing and removed website Related to context7.com labels Apr 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docs parsing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@enesakar @lirantal @eladcandroid @enesgules
0