Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
leosanchez 2 days ago

Tried setting up rustfs today. It was easier that garagehq and it even comes with UI.

evil-olive 7 hours ago | parent [-]

RustFS is the poster child in my mind for the worst kind of vibe-coded slop. it might be "simple" but it's not something I would ever trust with persistent data.

last year they had a security vulnerability where they allowed a hardcoded "rustfs rpc" token to bypass all authentication [0]

and even worse, if you read the resulting reddit thread [1] someone tracked down the culprit commits - it was introduced in July [2] and not even reviewed by another human before being merged.

then the fix 6 months later [3] mentions fixing a different security vulnerability, and seemingly only fixed the hardcoded token vulnerability by accident. that PR was also only reviewed by an LLM, not a human.

0: https://github.com/rustfs/rustfs/security/advisories/GHSA-h9...

1: https://www.reddit.com/r/selfhosted/comments/1q432iz/update_...

2: https://github.com/rustfs/rustfs/pull/163/

3: https://github.com/rustfs/rustfs/pull/1291

nikeee 7 hours ago | parent | next [-]

I am building an S3 client [1] where I have a test matrix that tests against common S3 implementations, including RustFS.

That test matrix uncovered that post policies were only checked for exsitence and a valid signature, not if the request actually conforms to the signed policy. That was an arbitrary object write resulting in CVE-2026-27607 [2].

In the very first issue for this bug [3], it seemed that the authors of the S3 implementation didn't know the difference between the content-length of GetObject and content-length-range of a PostObject. That was kind of a bummer and leads me to advise all my friends not to use rustfs, though I like what they are doing in principal (building a Minio alternative).

[1]: https://github.com/nikeee/lean-s3 [2]: https://github.com/rustfs/rustfs/security/advisories/GHSA-w5... [3]: https://github.com/rustfs/rustfs/issues/984

PunchyHamster 7 hours ago | parent | prev | next [-]

I recently submitted bug about how their own docs tell you to

* create rustfs user * run the rustfs from root via systemd, but with bunch of privileges removed * write logs into /var/logs/ instead of /var/log

Looks like someone told some LLM to make docs about running it as service and never looked at output

rezonant 7 hours ago | parent | prev [-]

Ah, progress!