Unlimit File Upload
Unlimit File Upload
Category: Security Misconfiguration
Severity: Medium
Description
The application should set proper size limits for the upload service in order to protect the file storage capacity. If the system is going to extract the files or process them, the file size limit should be considered after file decompression is conducted and by using secure methods to calculate zip files size. For more on this, see how to Safely extract files from ZipInputStream, Java's input stream to handle ZIP files.
The application should set proper request limits as well for the download service if available to protect the server from DoS attacks.
Impact
Fill the storage volume of the server
Remediation
List allowed extensions. Only allow safe and critical extensions for business functionality
Ensure that input validation is applied before validating the extensions.
Validate the file type, don't trust the Content-Type header as it can be spoofed
Change the filename to something generated by the application
Set a filename length limit. Restrict the allowed characters if possible
Set a file size limit
Only allow authorized users to upload files
Store the files on a different server. If that's not possible, store them outside of the webroot
In the case of public access to the files, use a handler that gets mapped to filenames inside the application (someid -> file.ext)
Run the file through an antivirus or a sandbox if available to validate that it doesn't contain malicious data
Ensure that any libraries used are securely configured and kept up to date
Protect the file upload from CSRF attacks
https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
Last updated