Allowing files to be uploaded to your applications (and therefore your network) is risky business. In fact, it just may be the riskiest functionality that you can add to a web application.
If you decide to include file uploads in your applications, you should:
- Scan all uploaded files with an application to analyze the files for malicious characteristics such AssemblyLine (free from the Canadian Government, which can be installed locally so you do not need to share your files with a 3rd party), Cylance, FireEye or Virus Total.
- Follow the advice in the OWASP File Uploads cheat sheet.
- Watch Episode #14 of the OWASP DevSlop show with Dominique Righetto to see code and more on how to implement these safeguards. This episode is in French with English Subtitles (most episodes are recorded in English). While you are at it, why not subscribe to our YouTube channel? If you like this blog, you are likely to also enjoy the show.
Here are some points to take home, as summarized from the OWASP File Uploads Cheat Sheet, written by Dave Wichers:
· Ensure the application is receiving the expected file type which is within an acceptable size range. If not, reject it.
· If possible, avoid accepting Zip files. If you must accept zip files, be extremely careful.
· Rename the file, do not use user-supplied information to name the file, even temporarily.
· Do not allow the user to specify a path to save the file, always have the application decide, and do not share this location with the end user.
· Pay special attention to files with double file extensions and ensure the fake extension is removed. For example: myfile.php.txt would become systemcreatedfilename.txt.
· Use image processing libraries to verify the image is valid and to strip away extraneous content.
· Set the extension of the stored image to be a valid image extension based on the detected content type of the image from image processing (do not trust the header from the upload).
· Ensure the detected content type of the image is within a list of defined acceptable image types (jpg, png, etc).
· Ensure that you can attribute the file to the authenticated and authorized user that uploaded it for auditing purposes. It is not advised to let unauthenticated users to upload files.
· It is preferable to save files to a to properly secured blob storage, then a database or to a file system. If on a file system, ensure it is on a file server (not the web server), preferably isolated and/or on a different domain/network zone, in a directory that does not have any execute permissions and has had all the script handlers removed. If at all possible store it in the cloud in blob storage instead.
Up next in the ‘Pushing Left, Like a Boss’ series: Redirects and Forwards.