Security patch recommended for streamlit by my client

Hi Team,

I have developed an application and deployed in streamlit cloud community. client has done vulnerability test over the code and got results as below

  1. Email Flooding

Description:
The process of sending large quantities of emails, often with large attachments, to disable a network or part of a network such as a mail server. This is an example of a denial of service attack.
Status:
Current Status: New
Risk Rating:
High
Impact:
This leads to Reputational damage and can be perform DOS attack.
Affected URL:
https://share.streamlit.io/api/v1/login/email
Affected Parameters:
Application
OWASP Ref No:
https://www.owasp.org/index.php/Testing_Multiple_Factors_Authentication_(OWASP-AT-009)
CWE/CVE Reference No:
CWE-770
Recommendation:
Limit sending only 5 emails per registered mail at a given time interval.

Kindly help me how to address the same.

Regards
Sridhar

I’m sure the devs are happy for the feedback and I’ll leave it to them to speak on the site’s security, but just a side note: I wouldn’t recommend deploying any business-critical or enterprise apps on Streamlit Cloud. It’s more of an educational and community tool to help people get started with Streamlit. It doesn’t come with a guaranteed service level agreement (SLA) so it might be good to consider that aspect if your app is of reputational importance.

Hi,

Thanks for reply. I felt streamlit cloud community was very useful for me to deploy. Do we have enterprise cloud from streamlit or snowflake for deployment?

When Streamlit was acquired by Snowflake, the paid plans got sunsetted. I don’t know when/if they will bring them back. They are working on implementing Streamlit within Snowflake right now, which is in preview already on the Snowflake side. There are some limitations with it, as I understand, since it’s using a different sort of container.

If you need something now, I’d look at some of the other deployment options where you can get the right SLA. There are some options/tutorials here:

Hi,

Secrets are saved in secrets.toml in local and in application secrets of streamlit. How i am suppose to manage the secrets if i am deploying in aws. There is no user case studies covering this.

I’m not personally as familiar with AWS specifically. Based on a search, I can see they have a secret management service, but there may be free options within your specific deployment that let you do something else.

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.