This is a topic we actually discussed recently in another blog episode [1]. It is no surprise that this topic made it into the "Top 25" [2]. Securing file uploads is hard.
To extend a bit on the earlier blog, let me discuss strategies to win this fight. I believe this is a good example on how integrating security early in your software development is helpful.
Hard problems like file uploads need to be identified early, and the risks have to be spelled out in the project plan. In some cases, it may be possible to avoid the problem by modifying the project requirements. Some of the critical questions to ask are:
- Who will upload files? Are only authenticated users uploading files or is anybody able to upload.
The risks associated with file uploads can be somewhat mitigated if only authenticated users are allowed to upload files. While this is not perfect, it does provide more traceability in case a malicious upload is found. - Who will view the files and when? Will only administrators view the files or will any visitor to the site view them? Will there be time to review of the file before it is viewed?
Will the file be posted directly to a public website? In this case, the content of the file may matter. For example, think about a web site which allows users to post images and you are trying to protect children viewing the images from inappropriate content. This is impossible without a manual review of the image.
If only administrators are viewing the files, they may use secured workstations to review them and receive additional training in spotting malicious or inappropriate files. - Which file types are allowed?
The less file types are allowed, the easier it is to validate the files as valid. Hard to validate file types may be eliminated and for some of the remaining file types, additional restrictions may be imposed. For example, PDFs are only allowed if they do not contain Javascript or pass certain validation checks. Microsoft Office documents may be stripped of macros before accepting them.
Decisions like this have to be made early in the development process. The threat modeling should point out dangerous requirements like file uploads and make everybody aware of the risks involved. At this point, it is usually still pretty easy to avoid some of the major problems. For example, a requirement may be added to limit file uploads to users with specific rolls or the requirement for manual review may be added.
- https://blogs.sans.org/appsecstreetfighter/2009/12/28/8-basic-rules-to-implement-secure-file-uploads/
- http://cwe.mitre.org/top25/#CWE-434
