Developer forum

Forum » Feature requests » Additional check for file type consistency

Additional check for file type consistency

E-mail notifications
Adrian Ursu Dynamicweb Employee
Adrian Ursu
Reply
Posted on 30/09/2021 12:53:22

Hi guys,

We have received a request to add a validation when an admin user uploads a file. Specifically, we should not allow uploading of files that are not what other extension says.

Our customer is worried about accidental upload of files with image extensions which in fact are javascript or other malicious code.

I have tried on our file manager, and I could upload a javascript file with a changed extension, it does not render a preview after upload (which is obviously why) and when clicking on it I get a message saying that the file is not an image:

This means that we already have a way of detecting improper files.

Is it possible to add this validation on upload and deny uploading files that are not what they say they are?

Thank you,

Adrian


Replies

 
Nicolai Pedersen
Posted on 30/09/2021 14:42:40
Reply

Hi Adrian

No, that is not possible. Also it is not possible to serve that as something they are not named, so should not be a big issue.

BR Nicolai

 
Adrian Ursu Dynamicweb Employee
Adrian Ursu
Posted on 30/09/2021 15:40:08
Reply

Hi Nicolai,

Thank you for your answer. My concern is that the admin can stupidly upload a fake file and select it in the Assets or in the Content.

I am not concerned about serving it in the front-end as in the case of this solution, we will only use the PIM part, there will be another solution responsible for displaying it.

And this is where it gets tricky because they ask us to ban/filter any content that is not valid. They have something like this on their system but we cannot use it since we have our own file system logic.

I will think of another solution then.

Thank you,

Adrian

 
Nicolai Pedersen
Posted on 30/09/2021 17:30:48
Reply

I understand.

It does not sound like a common request.

You can probably hook into a generic notification subscriber, like beginrequest, and see if the request is POST and is in /ADMIN and is in file upload. If so, the request will have the file data in the Post.Files collection and then you can check if extension and mime type matches. Where you would get that list from, I don't know... Some hints here: https://stackoverflow.com/questions/12233711/file-mime-type-checking

 
Adrian Ursu Dynamicweb Employee
Adrian Ursu
Posted on 30/09/2021 17:39:17
Reply

Hi Nicolai,

I agree it's not a common request. It can help to have this double-check but it's also something you can live without.

These guys have a very large B2C webshop and they have been targeted with various hacks, that's why they are extra-extra-cautious with anything entering their ecosystem.

Thank you for the suggestion. I will look into this approach.

Adrian