MikeWatch Forks of the Mike legal-AI codebase, distilled for legal-tech readers
Home · Metbcy/mike · this thread

Metbcy quietly plugs a download-link forgery hole

A public-repo fallback secret meant anyone could mint download links for files in the storage bucket - until now.

securityinfrastructure

The backend signs download links with a secret key, the same way a bank signs a cheque. If the operator deploying the fork forgot to set that key, the code silently fell back to the string "dev-secret" - a value baked into the public source, and therefore known to the entire internet. Anyone who noticed could forge a valid-looking link and pull arbitrary files out of the fork's cloud storage.

Metbcy's patch removes the fallback. The service now refuses to start without a real, randomly-generated key, and the setup template was updated so operators can't miss the step. It's a small change with an outsized effect: the failure mode flips from "insecure by default and nobody notices" to "won't run until you do it properly."

So what If you're running any Mike fork in production - or thinking about it - this is the kind of upstream-able fix worth pulling in before your next deploy.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?