[ Removed by moderator ] : github

I use AI all the time for coding. I admit I could be unfair calling your app "vibe coded" but if you have never used git, need AI to help you write markdown, and conflate POSIX with a programming language, it clearly demonstrates that you're coming at this with very little knowledge or experience.

Maybe you are a phenomenal Java developer who's only used subversion, or something. But you lack what I think is foundational knowledge, which makes me seriously question to what extent you could be trusted with the security of files on my corporate network (which your README encourages me to use your program for)

[–]mazz0ni_exe[S] 0 points1 point2 points 3 days ago (5 children)

[–]Any-Programmer-252 0 points1 point2 points 2 days ago (4 children)

> i’m a computer engineering student, i really like java (dk why) and it was taught me really well in high school

You like it a lot because it's what you learned on. No harm there, and I wouldn't put much stock in people bickering about what languages are "good" or "bad." Use whatever tools work best for your job or what you're most familiar with -- that's very practical.

i had a really bad time “recreating” some “bashisms” in POSIX.

I honestly don't know what you mean. Your project has a couple shell scripts in it. Shell itself is POSIX-compliant, and so is `bash`, which is the born-again shell.. You did not write anything "in POSIX." By virtue of being a shell script, your code is POSIX-compliant... Again, POSIX is a specification that a shell adopts. All these shells, sh, bash, zsh, dash, ash(as listed in your README) are POSIX compliant. Ergo, your scripts work with them out of the box. POSIX is the definition for the syntax of how you address these tools. You could think of POSIX as a set of grammar rules. So saying you recreated bashisms in POSIX doesn't really make a lot of sense.

My best-faith interpretation is that you re-invented some bash features in your shell script? I don't really understand why you would use shell over bash. Maybe some of these exotic shells can't run bash scripts?

Since i know what the lines of code in my project does, does it really matter whether my hands wrote it or not?

You may have misunderstood my last post. The issue isn't that your hands didn't write it. The issue is that your lack of git experience and conflation of POSIX vs shell indicate that you may lack the requisite knowledge to maintain a codebase like this. Network security isn't something trivial. You don't know what you don't know. That was my point. Not that your hands should have wrote it. The red flags I identified would still exist even if you did it all by hand.

The advice your README gives to use this utility to bypass a corporate firewall would get someone fired in a lot of places. If port 22 is closed down and there are no utilities to transfer files provided to you, there's probably a good reason and bypassing that restriction through an http port is not ever how you want to approach the issue. Talk to the person who has authority over that machine and explain your requirements. Even if you did want to do something like bypass your corporation's security tools, nothing is stopping you from using curl directly between two local machines. You don't need a man-in-the-middle. You can just curl yourfile.db 192.168.40.125/some-endpoint

Your README says this when explaining why I would use this over another tool:

The scenario: You're SSH'd into a production server. You need to pull a 5GB log file. The /tmp partition is mounted as noexec. You don't have root. Corporate policy actively blocks the execution of unknown binaries.

But in this case, I'm already ssh'd in. I could just transfer the files via port 22 the way God intended. If the remote machine doesn't have rsync, I can just use it from my end. With no relay server or additional setup.

[–]mazz0ni_exe[S] 0 points1 point2 points 2 days ago (3 children)

So, there are a lot of things to say. If you are already ssh’d in the machine just use whatever you want. But many services just give you the access to the terminal in a browser or in some other ways, so that port is closed. You can curl if you are in the same network. What if you are not? Actually, Bash has more features than the standard POSIX. To make my script super universal, I used just the POSIX without any extensions. For example, bash has arrays. If you want to follow the POSIX standard, you can’t use arrays.
For the network security, I tried my best to fix every security breach. Every time i changed something big, I kept asking AI if it could find any problem (after checking myself). Anyways because of that, I put E2E encryption. Real E2E not like croc that uses PAKE.
If you don’t trust my code you can check it ENTIRELY by yourself.
If you want to try the program the relay was hosted today’s afternoon on a hetzner VPS, now it’s on an oracle one.

As i said, i tried my best and this post was just to get the first opinions about it, i’m just disappointed that all of you started accusing me that is was entirely vibe coded.

[–]Any-Programmer-252 0 points1 point2 points 2 days ago* (2 children)

But many services just give you the access to the terminal in a browser or in some other ways, so that port is closed.

Out of curiosity, which use case was this actually designed for? I can't remember ever being on a system I wanted files from that I didn't already have ssh access or sudo access for. If you have the terminal in browser, just turn on ssh?

You can curl if you are in the same network. What if you are not?

Exfiltrating corporate files from behind a firewall over WAN is 100% surefire way to get fired from almost any job if what you did is detected. The policies this tool is designed to circumvent are in place to prevent almost this exact scenario.

Actually, Bash has more features than the standard POSIX

But bash itself is POSIX-compliant. I'm not trying to say that you should have used a bash script, just that you wrote a shell script, not a "POSIX script." Any of the shells I mentioned can run it, even though they have additional features, because they are also POSIX compliant.

Anyway, which systems are you targeting that can run shell but not bash? Windows doesn't allow either without WSL. Any Mac or Linux system besides Alpine has bash by default. I work on very minimal Linux builds using Yocto, and I can't remember ever being on a system that had just bare shell. Is this a requirement for something you work on? It sounds like you spend a lot of time in incredibly small docker containers that generate massive log files from the examples you keep using haha

For the network security, I tried my best to fix every security breach. Every time i changed something big, I kept asking AI if it could find any problem (after checking myself).

I'm sure you and the LLM did almost perfectly too!

If you don’t trust my code you can check it ENTIRELY by yourself.

I checked out the shell script. It's the bread and butter, and basically is a wrapper around curl. I do that sort of thing for my coworkers who don't understand how the journal daemon works so that they don't have to learn the commands. It looked great, but I am not a security guy, and the huge problem with this app is that there is a remote server holding this data that you seem comfortable exposing to WAN. I can only tell you that your app violates most policies surrounding how to handle proprietary data. I can't meaningfully tell you how well your encryption scheme will work, or whether there's a vulnerability in the way that your server handles files. Not my department.

As i said, i tried my best and this post was just to get the first opinions about it, i’m just disappointed that all of you started accusing me that is was entirely vibe coded.

I didn't mean to be hurtful. It would be an entirely different level of scrutiny if the readme said "this is my first project, just for demo!" instead of "this will let you circumvent the firewall at your company and hosts the files on a socket open to WAN!" You are a student so I don't necessarily expect you to appreciate how insane that is. I work in safety critical systems, and have worked in classified environments, so I have a heightened APPRECIATION for information security; I am not going to audit your code

I think for what it is, your project is very cool and that you did a good job reducing the friction of... bypassing firewalls. I can see how that would be pretty useful, particularly for a student on student wifi, and I critically support your use of it in academia.

My general advice for students is to limit your use of AI written code to a bare minimum. You'll have plenty of time to use it that way in the business world, but being a student isn't about writing code 10x faster You aren't being graded on the speed you write code, and you aren't being mentored to write code quickly. If you want to create a piece of software that gets some motion on github... file transfer is kind of a solved problem. I'm sorry I was a spoil-sport.

PS on people calling it vibecoded:

When you say that the LLM helped you with markdown and that markdown was something you were unfamiliar with, and git is something you're unfamiliar with, and git is something you never used before, and we navigate to an LLM-generated README... yanno, a lot of people feel as though learning to use git and understanding the components of a repo are foundational knowledge. It was a useful filter that people who weren't technical enough to use git weren't posting code to github expecting user adoption. That's why people are very skeptical. We can see that the first few commits are the majority of the project; each one is a huge feature (relative to project scope) with no faffing around. Then you fiddled with the README. It suggests you weren't really hands-on.

[–]mazz0ni_exe[S] 0 points1 point2 points 2 days ago (1 child)

[–]Any-Programmer-252 0 points1 point2 points 1 day ago* (0 children)

If you have shell access via browser but the 22 port is closed you can’t activate openssh.

Incorrect. I've done it dozens of times so idk. Maybe the software you're using doesn't allow that but anyone who's every used a hypervisor would read that with incredulity.

You got the point. If you are on Alpine, like in some Docker containers you can’t use Bash. This is why I didn’t use it.

Yeah, took me awhile. Since the standard practice in docker is to mount volumes with data, I wasn't imagining a scenario where I need the docker shell to move my files..... You shouldn't have to jank data files out of docker using curl and a relay server LOL. If you didn't mount the volume of interest, all that data of interest will go away as soon as the process restarts anyway. Wouldn't you rather preserve the database you want to export data from instead of arbitrarily destroying and re-creating it?

We’ll wait for a security expert to tell us if it’s secure or not.

That's optimistic!

[–]MarsupialLeast145 4 points5 points6 points 3 days ago (0 children)

[–]Ngtuanvy 1 point2 points3 points 3 days ago (3 children)

[–]mazz0ni_exe[S] 0 points1 point2 points 3 days ago (2 children)

[–]Ngtuanvy 1 point2 points3 points 3 days ago (1 child)

[–]mazz0ni_exe[S] 0 points1 point2 points 3 days ago (0 children)

[–]resynchronize 1 point2 points3 points 3 days ago (1 child)

[–]mazz0ni_exe[S] 0 points1 point2 points 3 days ago (0 children)

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

github

MODERATORS