Questioning Plugin’s Need to Store Data On Disk

  • Resolved alpipego

    (@alpipego)


    2 years, 5 months ago

    Hi,
    I tested your plugin today and I noticed that it’s writing several things to disk that don’t need to be stored in persistent storage in the file system. Moreover, the plugin creates multiple (nested) directories within wp-content, yet it doesn’t necessarily have “write” permissions to it.

    1. Why is there a nginx.conf written to disk?
    2. The purge_cache_queue directory and cache_queue.json should either be stored as transient data or added as wp-cron tasks, IMO. When the plugin can’t write to this path, purging the cache fails silently after saving a post—it somewhat shows up in the logs, but it’s not verbose either.

    None of the created files are protected from being read from the outside—neither through obfuscation nor through access rules. The debug.log at least is. While none of this necessarily reveals sensitive data, it’s data about the site that doesn’t need to be publicly available.

    I suggest either making all the paths filterable, so I can move them outside the web-root of the site or, better yet, save the data through the APIs provided by WordPress. None of this needs to live on the disk, as far as I’m aware.

    If you accept OSS-contributions through GitHub for example, I’d be happy to further discuss this and provide a solution.

    Thanks for the good work on the plugin.
    🤘 Alex

Viewing 1 replies (of 1 total)
  • Plugin Contributor iSaumya

    (@isaumya)

    2 years, 5 months ago

    Hi,
    I understad the resoning behind yoru post Alex. But the problem is, considering the fast data execution needed for this plugin DB based storage will be a huge choke point causing race conditions, locks etc. File based store is the fastest in terms of speed for concurrent high speed operations. Not all site has redis to store huge about of data in memory.

    You can definately add server level rule to restrict access to these files for public. You can even add Cloudflare WAF rules to block all access of these files for the outside world and only the server can access them.

Viewing 1 replies (of 1 total)

The topic ‘Questioning Plugin’s Need to Store Data On Disk’ is closed to new replies.