Initial commit
This commit is contained in:
Zhongwei Li
@@ -0,0 +1,75 @@
|
||||
---
|
||||
description: Secure file handling & uploads (validation, storage isolation, scanning, safe delivery)
|
||||
languages:
|
||||
- c
|
||||
- go
|
||||
- java
|
||||
- javascript
|
||||
- php
|
||||
- python
|
||||
- ruby
|
||||
- typescript
|
||||
alwaysApply: false
|
||||
---
|
||||
|
||||
rule_id: codeguard-0-file-handling-and-uploads
|
||||
|
||||
## File Upload Security Guidelines
|
||||
|
||||
This rule advises on secure file upload practices to prevent malicious file attacks and protect system integrity:
|
||||
|
||||
- Extension Validation
|
||||
- List allowed extensions only for business-critical functionality.
|
||||
- Ensure input validation is applied before validating extensions.
|
||||
- Avoid double extensions (e.g., `.jpg.php`) and null byte injection (e.g., `.php%00.jpg`).
|
||||
- Use allowlist approach rather than denylist for file extensions.
|
||||
- Validate extensions after decoding filename to prevent bypass attempts.
|
||||
|
||||
- Content Type and File Signature Validation
|
||||
- Never trust client-supplied Content-Type headers as they can be spoofed.
|
||||
- Validate file signatures (magic numbers) in conjunction with Content-Type checking.
|
||||
- Implement allowlist approach for MIME types as a quick protection layer.
|
||||
- Use file signature validation but not as a standalone security measure.
|
||||
|
||||
- Filename Security
|
||||
- Generate random filenames (UUID/GUID) instead of using user-supplied names.
|
||||
- If user filenames required, implement maximum length limits.
|
||||
- Restrict characters to alphanumeric, hyphens, spaces, and periods only.
|
||||
- Prevent leading periods (hidden files) and sequential periods (directory traversal).
|
||||
- Avoid leading hyphens or spaces for safer shell script processing.
|
||||
|
||||
- File Content Validation
|
||||
- For images, apply image rewriting techniques to destroy malicious content.
|
||||
- For Microsoft documents, use Apache POI for validation.
|
||||
- Avoid ZIP files due to numerous attack vectors.
|
||||
- Implement manual file review in sandboxed environments when resources allow.
|
||||
- Integrate antivirus scanning and Content Disarm & Reconstruct (CDR) for applicable file types.
|
||||
|
||||
- Storage Security
|
||||
- Store files on different servers for complete segregation when possible.
|
||||
- Store files outside webroot with administrative access only.
|
||||
- If storing in webroot, set write-only permissions with proper access controls.
|
||||
- Use application handlers that map IDs to filenames for public access.
|
||||
- Consider database storage for specific use cases with DBA expertise.
|
||||
|
||||
- Access Control and Authentication
|
||||
- Require user authentication before allowing file uploads.
|
||||
- Implement proper authorization levels for file access and modification.
|
||||
- Set filesystem permissions on principle of least privilege.
|
||||
- Scan files before execution if execution permission is required.
|
||||
|
||||
- Upload and Download Limits
|
||||
- Set proper file size limits for upload protection.
|
||||
- Consider post-decompression size limits for compressed files.
|
||||
- Implement request limits for download services to prevent DoS attacks.
|
||||
- Use secure methods to calculate ZIP file sizes safely.
|
||||
|
||||
- Additional Security Measures
|
||||
- Protect file upload endpoints from CSRF attacks.
|
||||
- Keep all file processing libraries securely configured and updated.
|
||||
- Implement logging and monitoring for upload activities.
|
||||
- Provide user reporting mechanisms for illegal content.
|
||||
- Use secure extraction methods for compressed files.
|
||||
|
||||
Summary:
|
||||
Implement defense-in-depth for file uploads through multi-layered validation, secure storage practices, proper access controls, and comprehensive monitoring. Never rely on single validation methods and always generate safe filenames to prevent attacks.
|
||||
Reference in New Issue
Block a user