yes internally - this will only work with the sync-pack (zip) files
internally within the upload process the files are:
uploaded (with an internal random name, so we don't take the one submitted)
unzipped
deleted
If any of the steps fail (e.g. the unzip) then the delete should fired - so the files do not actually persist on the disk and all of this occurs in a location that could not be calculated from the upload (e.g. random folder names, random filenames, etc).
but you do have to exercise caution with these files anyway (which is why they are in the settings section and would be limited to accounts that can only do 'settings' things) as they can for example contain view files, (e.g. a .cshtml file) which can of course contain code that if imported would run on a site.
I wouldn't say this this isn't a vulnerability as much as the function of the process. (e.g. you can do damage uploading code inside a snapshot/sync-pack - but you can also do damage by writing code into a template/partial in the same section).
happy to discuss more via email ([email protected]) if you have more questions
File Upload Security
I have a question from a client (following a security scan) related to the file upload fields here:
/AppPlugins/uSyncExporter/importDialog.html, line 26 /AppPlugins/uSyncSnapshots/dialog/importDialog.html, line 14
The question is whether or not these uploads have some mechanism to validate/limit the types of files that might be uploaded.
(other than the "accept" attribute).
Thanks.
Hi Jason,
yes internally - this will only work with the sync-pack (zip) files
internally within the upload process the files are:
If any of the steps fail (e.g. the unzip) then the delete should fired - so the files do not actually persist on the disk and all of this occurs in a location that could not be calculated from the upload (e.g. random folder names, random filenames, etc).
but you do have to exercise caution with these files anyway (which is why they are in the settings section and would be limited to accounts that can only do 'settings' things) as they can for example contain view files, (e.g. a
.cshtmlfile) which can of course contain code that if imported would run on a site.I wouldn't say this this isn't a vulnerability as much as the function of the process. (e.g. you can do damage uploading code inside a snapshot/sync-pack - but you can also do damage by writing code into a template/partial in the same section).
happy to discuss more via email ([email protected]) if you have more questions
Super, many thanks!
is working on a reply...