Security problem for Google Sheets

  • Resolved codydoby

    (@codydoby)


    6 years, 3 months ago

    Google Sheets datasources should be hardened. Find the publicly shared Google Sheets ID can be seen directly from TABLE id.

    I want show only several columns of one Google Sheets on my web page. Thus the ID of publicly shared Google should should not be known by visitor.

    I modified the code to make the Google Sheets ID be hashed.

     
/**
 * Gets the shortcode's ID for output as an HTML ID attribute.
 *
 * @param string $key
 *
 * @uses sanitize_title_with_dashes()
 * @uses wp_salt()
 *
 * @return string
 */
private function getDocId ( $key ) {
	$m = array();
	preg_match( self::$gdoc_url_regex, $key, $m );
	if ( ! empty( $m[1] ) ) {
		$id = $m[1];
	} else {
		$id = sanitize_title_with_dashes( $key );
	}
	
	$id = hash( 'sha256', wp_salt() . "$id" );
	
	if ( 'mysql' === self::getDocTypeByKey( $key ) ) {
		$p = parse_url( $key ); // Omit the password from the hash.
		$id = hash( 'sha256', wp_salt() . "{$p['scheme']}://{$p['user']}@{$p['host']}{$p['path']}" );
	}
	return $id;
}
Viewing 1 replies (of 1 total)
  • Plugin Author Meitar

    (@meitar)

    6 years, 3 months ago

    This is not a security vulnerability, this is how the plugin works. Aside from which, your code is not a data protection mechanism, it is a data obfuscation mechanism, that is, it is “security through obscurity.

    Moreover, as mentioned in the README, this plugin only works with Google Sheets that are publicly shared. Hashing the ID of the Google Sheet document in the way you have simply obscures the ID from visitors browsing your web site. It does nothing to stop a Web crawler, visitor, or search engine from accessing the data in your published Google Sheet.

    I want show only several columns of one Google Sheets on my web page. Thus the ID of publicly shared Google should should not be known by visitor.

    This is also incorrect, by which I mean your methodology is unsafe. If you want to publish only a portion of a Google Sheet, you should keep your data in a private Google Sheet and then =QUERY() for the public sections only from a second, public Google Sheet. This mechanism actually protects your private data, instead of simply obscuring it.

Viewing 1 replies (of 1 total)

The topic ‘Security problem for Google Sheets’ is closed to new replies.