I've been working on a Shiny app at my internship, and for multiple reasons, it would be ideal for the app to be launched in the browser rather than an RStudio viewer window. However, I am using very sensitive and protected data within this application that is stored on local servers, and am worried about the possibility of security threats to that data if launched in the browser. Are any parts of the data files sourced within the app, or any of the processing done by the app, uploaded or connected to the internet in any way when using the browser? Do any data security vulnerabilities arise from running the app this way? Does downloading a data file through the Shiny app in a browser introduce it to the internet in any way? Or does everything remain local? I have spent some time searching online and am only finding answers to Shiny security in regards to the shinyapps.io servers that you can buy, which are not what I am looking for information about. Thank you very much in advance!
Related
I'm trying to develop an internal Shiny app for my organization as a test run. The IT department is requiring the app to be safe from Directory Traversal Attacks. Unfortunately, I have to deploy the Shiny app in a Windows machine. (currently using runApp).
I have searched but not found a way to implement the different recommendations of avoiding Directory Traversal Attacks. Can anyone help me out?
Protecting from a traversal attack is two fold. Once in the application and once in the system.
For the application, you will need to make sure that you are cleaning any inputs that point to a hosted file. For example, if your application allows a user to call images/supercool.png youll need to verify that the path is not being changed to something like ../../../../etc/psswd.
For the system, it is a matter of separating privileges. The accounts given access to the runapp files should not also have access to system files(beyond what is absolutely needed.
I would recommend using shiny server or connect to host the files for you, especially if you do not feel prepared to implement the needed security.
Rstudio has done a lot of work and a great job to make a good product and is continuing to add new features including enhancements around security/access.
So i have a dashboard but i wish to break this dashboard into smaller apps. The smaller apps will provide inputs into the dashboard.
I have set up a droplet/shiny server. How would i go about doing this?
The dashboard and apps would need to be on the server so i can embed them on the website.
In essence, the question is too broad as it is right now. Here are a few pointers to get you going:
Since each shiny app "lives" on its own, they can't communicate directly with one another.
What you can do is to have a service which all the apps can talk to, i.e., some kind of data base. Once an app changes a status/field/table in the data base, the other apps see that and react accordingly.
I'm pretty sure you can accomplish this with a remote storage, not sure about local storage though.
RStudio has a good tutorial about persistent data storage in shiny apps, so I would start there: Persistent data storage in Shiny apps
I have developed a web application(flexdashboard) in runtime shiny by importing excel data into rmarkdown. I want to deploy it on a server which should work in real time i.e;i will share the link with users so that the end users can see what is happening in real time and the changes that are made to the data in excel data would also be reflected in the web app i.e; dashboard. Please let me know on how to deploy this Rmarkdown web app on Linux server (or any cost efficient server)?
Also please let me know if we can develop some dynamic web pages in rmarkdown.
Any kind of help is highly appreciated. Thanks in advance.
I am building a series of interactive shiny web apps for a project that I am considering turning into a Company. My background is in data science and I don't have a lot of experience on the web app / server side of things, but these are important aspects for me to consider with my project. I currently have an Amazon Linux AMI EC2 instance with ShinyServer (free, open-source) installed, and I am currently hosting early versions of my web apps there. So far everything works fine, but I haven't made the links public yet.
My first question is whether anyone knows if there are certain limitations (scalability limitations, integration with database limitations, security / authentication limitations, etc.) that I will inevitably run into using RShiny apps and ShinyServer? I haven't heard of many successful, super-popular web apps being shiny apps hosted on ShinyServer, but rather my feeling is that ShinyServer is mainly used for hosting RShiny apps that are shared amongst only a small number of people (i.e. shared amongst team members at a company.). Per this thread - Does R-Server or Shiny Server create a new R process/instance for each user? - I am particularly concerned that my app won't be able to handle thousands of users simultaneously since only 1 R process is created for the app regardless of the # of concurrent users of the app. Having 10-20 processes through ShinyServer pro probably doesn't solve the issue either if I ever intend to scale greater than the hundreds or thousands of users. I also noticed that ShinyServer Pro would run me a not-so-negligible $10K per year.
My second question is whether RShiny apps can be deployed using other server technologies, such as Heroku. I came across this github page (https://github.com/virtualstaticvoid/heroku-buildpack-r/tree/heroku-16) but haven't dug too deep into it yet. I've been told that heroku makes it easy to update releases to apps whose code is on github (git push heroku:master), amongst other things.
My third question involves certain specific considerations of mine. In particular, I am currently working on a script that queries data from an API and writes that data to a (not-yet-setup) database of mine. This is the data my apps use, and I'd be interested in having the apps update in real time as the database updates, without requiring the user to refresh the webpage. A buddy of mine suggested AJAX for this type of asynchronous behavior, and it looks like this may be possible in R with something like this (https://github.com/daattali/advanced-shiny/tree/master/api-ajax).
Sorry that this is such a loaded question, but I hope it doesn't get closed down as I think it is fairly educational. Any suggestions / sources / pointing me in the right direction would be greatly appreciated on this.
Canovice,
I'd recommend you take a look at the following RStudio / AWS support articles. To scale a shiny server you'll need to look at using a load balancer:
RStudio
https://shiny.rstudio.com/articles/scaling-and-tuning.html
https://support.rstudio.com/hc/en-us/articles/220546267-Scaling-and-Performance-Tuning-Applications-in-Shiny-Server-Pro
https://support.rstudio.com/hc/en-us/articles/217801438-Can-I-load-balance-across-multiple-nodes-running-Shiny-Server-Pro-
AWS
https://aws.amazon.com/blogs/big-data/running-r-on-aws/
Blog Article:
http://mgritts.github.io/2016/07/08/shiny-aws/
Shiny is a great platform, their support is fabulous. I'd recommend you ring them up - they'll be sure to help answer your questions.
That said if your plan is to create a scalable website that will support thousands or hundreds of thousands of people then my sense would be to recommend you also review and consider using D3.js in conjunction with react.js or Angular.js, not forgetting to mention node.js.
My sense is that you are looking at a backend database connected to a logic engine and visualisation front end. If you are looking for a good overview of usage take a look at the following web page and git repo [A little dated but useful]:
https://anmolkoul.wordpress.com/2015/06/05/interactive-data-visualization-using-d3-js-dc-js-nodejs-and-mongodb/
https://github.com/anmolkoul/node-dc-mongo
I hope the above points you in the right direction.
I'd like to provide some notes related to your second question: Yes, you can use the mentioned buildback to deploy shiny applications on heroku.
I was in a similar situation with you (asking myself about possible ways of serving Shiny applications in a scalable manner) and decided to go the "heroku way".
You may find these hints helpful when deploying your app to heroku using the buildpack mentioned above:
Heroku tries to "guess" how to execute your application. But you can also add a special file, named Procfile, to your application to control the process commands you want to execute for your application. In my case I used web: R -f ~/run.R --gui-none --no-save, where this means that a file named run.R is being passed to the R executable for the web server process
The stack on heroku is based on Ubuntu. If you need additional deb-packages, you can create another special file named Aptfile and add the package names therein, heroku will then automatically install these for you (I needed it for RPostgreSQL)
You can add another special file named init.R and install all R packages as necessary just as you are used to, i.e. with install.packages etc. You can also add initial configuration material within this file.
As a running example, here is an example toy application that I wrote for myself to remember how a "full-stack" shiny app may look like, including compability with heroku.
For a large number of concurrent users, use a load balancer like nginx and enable the autoscaling of your app, e.g. through Kubernetes.
You can deploy your app on Heroku. On the paid tiers it includes NoOps autoscaling of your app. See this tutorial on how to deploy a Shiny app in a Docker container on Heroku: https://medium.com/analytics-vidhya/deploying-an-r-shiny-app-on-heroku-free-tier-b31003858b68
You can query the table last update timestamp in the Shiny server logic with reactivePoll() and rerun your db query if it changed. It is not "real-time" but depending on your application close enough if you set the time interval small.
Hi this is more question of code security, rather than a question about a directly coding related problem. But I was wondering is it possible to see the code in ui.R and the server.R and that generates the app web browser page?
e.g. Although I'm sure I could just ask Garrett to see the code...is it possible, without authorisation, to somehow see the code related to this URL http://glimmer.rstudio.com/gsee/TFX/ which is running the a shinny app? As this might be a problem if putting up sensitive data/code etc.
Is there a way to add a secure username and password to shinny apps? so that only selected users can access the app?
I know obviously you can see code that run shinny apps from gists, but was more curious about glimmer apps.
P.S. Garrett (if you see this), im just using your app as a good app example...as it uses glimmer..., and in my opinion its attractive code.
As you talk about shiny applications that run on glimmer.rstudio.com, you talk about applications that run on shiny server (in contrary to applications run locally via a call to runApp).
A such, both ui.R and server.R are located on the server, and they are not downloaded to your computer when you run it. Moreover, they seem to be protected by shiny, as if you try to access them via an URL, such as http://shinyserver.example.com/app/server.R, all you will get is an HTTP 404 error.
So, in the same way that it is not possible to access the PHP or Ruby files that power a website or web applications, you can't, for obvious security reasons, access the R files behind a shiny application.
As for protecting access to a shiny application, I'm not sure it is a builtin feature in shiny server yet, but if you run it behind an Apache or Nginx proxy it should be possible to use HTTP authentication for that.
Note : I'm not a shiny expert at all, so this answer could be partially wrong. I just hope not totally :)
Right now, do not put up sensitive code or data on the glimmer server! It is not secure and any user of the server can access the code/data of other users. A bug report has been submitted and the developers are working on it, to my surprise the server is still online though.
Username/passwords are not going to help with this bug. If you want security, host Shiny Server yourself as the glimmer server is not secure.