-
-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add check in frontend implementation for acceptedFileTypes
violation
#133
Comments
As the documentation states:
This is not a security feature. Nothing can stop an user to attach other files than the ones you put into the attribute. The attribute only configures the See this as a "suggestion" to the browser which files you want the user to choose. The browser configures the system file selector with those types but it can be ignored. To securely limit the files you would need a server-side-check which is not possible as the server never sees the file in an unencrypted state. Even if I would try to parse that list in the frontend JS myself and match the file type (or the name) the browser gives me to the list this still does not guarantee anything. Even if I would do this in the frontend JS and the OTS-CLI util you simply can write a fairly simple script to attach an executable to a secret. |
OK, noted. |
Well also the file size is not a security check and you really should set a max-body-size in the webserver. You cannot trust any check done in the frontend. Like I said above: I could parse that list in the JS code and then try to match the file to it (given I get correct information which itself is not guaranteed especially with more exotic file types) but what does it give? A false sense of security. The CLI can upload a 1GiB file containing a giant virus collection… If we stop that in the browser and the CLI, the attacker will use a custom shell script. We lost. I'm fully aware how security works and there is no security at all but doing checks in frontend is just like asking a thief not to steal your diamond laying in front of them while you drive to work… The question is: Is it worth the effort implementing the parser and the matcher when it doesn't prevent anything? |
I understand your arguments. I think it is OK to treat approved extensions as not a security check. It is more a business control, whose scope is only UI and CLI, not API for the reasons you stated. Just a simple list of allowed extensions as a property, and a file name check to validate the extension. If not in the list, return a blocking error message like the one above. |
acceptedFileTypes
violation
1.9.0-9feecf3
acceptedFileTypes: 'image/,text/,application/pdf'
The text was updated successfully, but these errors were encountered: