安全最佳实践
Remotion 是一款可以通过编程方式生成视频的软件。它通过运行无头浏览器、捕捉图片并将其编码成视频来实现。这本身并不构成安全风险。然而,Remotion 会与网络交互,可以在云端使用,并且使用 NPM 生态系统。
🌐 Remotion is a software that can generate videos programmatically. It does so by running a headless browser, capturing images, and encoding them into a video. This in itself does not pose a security risk. However, Remotion interacts with the Web, can be used in the cloud and uses the NPM ecosystem.
环境变量
🌐 Environment variables
启动 Remotion Studio 或通过命令行运行渲染时,前缀为 REMOTION_ 和 .env 的环境变量会传递给无头浏览器。你有责任确保在与 Web 进行交互时,这些环境变量不会暴露给其他服务。
🌐 When starting the Remotion Studio or running a render via the command line, environment variables that are prefixed with REMOTION_ and .env are passed to the headless browser. You are responsible to ensure those environment variables do not exposed to other services as you are interfacing with the Web.
网络凭证
🌐 Credentials on the web
你不应该尝试从你的应用前端调用 @remotion/lambda 的 renderMediaOnLambda() 或其他 API。这些 API 只能使用 AWS 凭证调用,这意味着你必须将你的 AWS 凭证暴露在网络上。这是一个安全风险,应该避免。
🌐 You should not try to call renderMediaOnLambda() or other APIs from @remotion/lambda from your app frontend. Those APIs can only be called with AWS credentials, meaning that you would have to expose your AWS credentials to the web. This is a security risk and should be avoided.
disableWebSecurity 旗
🌐 disableWebSecurity flag
我们提供了 disableWebSecurity 标志,作为解决 CORS 问题的变通方法。该标志会在无头浏览器中禁用同源策略。如果你使用它,需要意识到其影响,并评估这是否可能对你构成安全风险。
🌐 We provide as a workaround for CORS issues the disableWebSecurity flag. This flag disables the same-origin policy in the headless browser. If you are using it, you need to be aware of the implications of it and assess whether this can pose a security risk to you.
分布式拒绝服务攻击
🌐 DDoS attacks
像 renderMedia() 和 renderMediaOnLambda() 这样的 API 运行起来可能很昂贵(无论是在计算上还是在财务上)。你应该确保不在没有认证或速率限制的情况下将这些 API 暴露到网络上。否则,你可能会受到 DDoS 攻击的风险。
🌐 APIs such as renderMedia() and renderMediaOnLambda() may be expensive (computationally or financially) to run. You should ensure that you are not exposing those APIs to the web without authentication or rate limiting. Otherwise, you may be vulnerable to DDoS attacks.
依赖安全扫描
🌐 Dependency Security Scanning
由于 Remotion 是通过 NPM 分发的,对我们依赖的扫描报告可以在诸如 Socket 这样的平台上公开查看。你可以检查特定的 Remotion 包是否存在漏洞:
🌐 Since Remotion is distributed via NPM, reports of scans of our dependencies can be publicly viewed on platforms such as Socket. You can check specific Remotion packages for vulnerabilities:
还要确保通过在 Socket 或类似的安全扫描平台上搜索,检查你计划使用的其他 Remotion 软件包。
🌐 Make sure to also check other Remotion packages you plan to use by searching for them on Socket or similar security scanning platforms.
安全认证
🌐 Security Certifications
Remotion 没有像 ISO27001 或 SOC2 这样的安全认证。这在通过 NPM 分发的 JavaScript 包中并不常见。你可能会因为 Remotion 的服务器不进行任何数据处理而感到放心。获得许可证后,你只需在自己的基础设施上运行 Remotion,无需连接到我们的服务器。
🌐 Remotion does not have security certifications such as ISO27001 or SOC2. This is uncommon for JavaScript packages distributed via NPM. You may find comfort in the fact that there is no data processing done by Remotion's servers. After you obtain a license, you simply run Remotion on your own infrastructure, with no connection to our servers.
安全审查流程
🌐 Security Review Process
我们通常会对 GitHub 的漏洞扫描器和依赖安全公告发出的警报作出响应。我们的流程包括:
🌐 We generally respond to alerts from GitHub's vulnerability scanner and dependency security advisories. Our process includes:
- 监控来自 GitHub 漏洞扫描器的安全警报(通常是“中等”严重性及以上的警报)
- 及时审查和处理已报告的漏洞
- 在有安全补丁时更新依赖
- 根据需要发布补丁版本
请注意,我们是根据具体情况处理安全事件,无法保证响应时间或特定的安全阈值。
🌐 Please note that we handle security situations on an ad-hoc basis and cannot provide guarantees about response times or specific security thresholds.
Node.JS 一般安全最佳实践
🌐 General Node.JS security best practices
你经常会将 Remotion 与其他 Node.js 依赖一起使用。
你应该只安装你信任的依赖,因为它们可以在其 postinstall 脚本中运行任意代码。
依赖,包括 Remotion,可能存在已知漏洞,你可以使用 npm audit 命令列出它们。
🌐 Often you will use Remotion alongside other Node.js dependencies.
You should only install dependencies you trust, since they can run arbitrary code in their postinstall scripts.
Dependencies, including Remotion, may have known vulnerabilities which you can list with the npm audit command.
安全漏洞报告
🌐 Reporting of security vulnerabilities
如果你认为发现了安全漏洞,可以将其报告至 hi@remotion.dev
🌐 If you believe to have found a security vulnerability, you can report it to hi@remotion.dev