File upload security in web applications

Recently, I had a chance to go deep into the security of file upload processing. In this article, I am sharing some of the questions that I dealt with, and insights from the experience of answering them. For most applications, you might not need to consider about the types of files that users upload, but for some use cases you should be able to ensure that users are uploading files that are considered safe for the usecase.

Some of the questions that we might encounter when dealing with file uploads are as follows:

Can you trust file type and mime types reported by the browsers, and file processing libraries (in the backend)?

• Can you trust the File.type property in the front-end?
• Can you rely on the mime-type property of the multer’s File.mimetype property? multer is a node.js middleware to process multipart form-data.

Given a large number of file extensions, whether you maintain an allow list, a deny list, or a combination of both?

Fig.1. Maintain an Allow list if you know the acceptable files

1. Allow list: If you know exactly the file types that users are allowed to upload. For example, if you’re developing an application about creating Identification Card from photos, then you can maintain an allow list of image extensions: PNG, JPEG, JPG. This approach is described in figure 1.

Fig.2. Maintain a deny list if you know the unacceptable files.

2. Deny list: If the types of files that users are allowed to upload is a lengthy list, then you should take this approach: deny whatever that could be the danger for the security of the system. This is approach is described in figure 2.

3. Or a combination of Allow and Deny list:

Fig. 3. Maintain a combination of allow and deny list

• This is the middle ground. No complete information about the file types that users are going to upload.
• No complete information about what is going to be dangerous.
• This is a balanced approach, but could be overkill for simple applications

How do you categorize files?

Fig.4. Working model of Linux file command

Linux file command is a guidance and the best tool to tackle file upload security. Linux file command is also one of the oldest tools addressing this issue. It’s been available from the Unix days. It divides the files into three bins: executables, binary(data), and text files as depicted in figure 1. It is also very flexible command, and performs three different types of tests on files to determine their types as described in figure 2.

Fig.5. Three types of tests performed by Linux file command on files

What are you trying to protect?

Fig. 6. the target of the security system

Understanding of the resources that we are trying to protect can better help in streamlining the file upload security. Some of things that could be your target are shown in figure 6 and as listed below:

• Your infrastructure: web servers, storage layer, network layer, etc.
• User’s data
• User’s devices
• User’s privacy
• Confidentiality, Integrity, Availability of the system in general

For example, if most of your users belong to Windows and Mac devices, then you should focus on executables and package files on those platforms: .exe, .msi, .dmg, .jar etc.

In the end, considering these types of questions allow us to better secure file upload system in a web application. I found this relatively old article by SANS Institute particularly helpful. Please feel free to leave your thoughts on this. Thanks for reading.