Security concern: Persistent XSS by uploading html files

[Faberle]

If an attacker uploads an html file and then uses the direkt link he is able to perform a XSS attack under the origin of the file server.

Proof of concept:
https://files.veliov.com/cdn/storage/uploadedFiles/rpyqF6xJigQPu5PmR/original/rpyqF6xJigQPu5PmR.html

I think we should at least make developer aware of the thread.
Or is there anything else we can really do apart from forbidding it by default to upload certain filetypes?

[dr-dimitru]

Hello @Faberle ,

I think developer always should be aware of what they are letting to upload to the server. In this lib is various methods to check file before upload on client and after on server.

Could you duplicate source of HTML file in this thread?

[Faberle]

I agree but nevertheless I think we should consider adding something to highlight the risks of allowing end users to upload files that could be abused.

The source of the HTML was simply a PoC:

<html>
  <script>
      alert("XSS");
   </script>
</html>

[dr-dimitru]

@Faberle agree. Tested. Proven.

Actually there is build-in (but not forced) security method which forces browser not to execute requested file, use ?download=true get query, example: https://files.veliov.com/cdn/storage/uploadedFiles/MT27pAAgHPtATdhtY/original/MT27pAAgHPtATdhtY.html?download=true

I guess we can add flag disallowExecution (maybe you have a better name for it), so all requests will be forced be an attachment, what do you think?

[Faberle]

So if I would click the link foo.bar/cdn/storage/badFild.html it would redirect you to foo.bar/cdn/storage/badFild.html?download=true, right?

If that always prevents an execution it should be sufficient.

[dr-dimitru]

I thought in other way, it will be always an attachment with disallowExecution careless for other options, unless ?play=true when it forced to be displayed.

But it feels difficult to satisfy everyone needs on this one.

[Faberle]

We only really ever need to disallowExecution if it is a format that is interpreted by the browser, right?
So I think it shouldn't cause too much inconvenience to just blacklist some fileTypes (e.g. html) and always add the flag for them, but leave everything else as it is right now.

Is there really a usecase where you want to allow the upload of html files and then run them?

[dr-dimitru]

Is there really a usecase where you want to allow the upload of html files and then run them?

Hosting Interface?

It can be easily done via interceptDownload hook. Maybe it's better to provide a doc with security considerations? Like a security cheat-sheet?

[Faberle]

Hosting Interface?
There you hopefully have security concious developers that can deactivate the percautions.

But I agree a small paragraph about security wouldn't hurt :) I will try to draft one up

[Faberle]

Securtity

Always check the filetype that is uploaded. If you allow the upload of executable files (e.g. html) you are putting your service at risk for XSS attacks. Since the attacker can use them to trick people into executing arbitrary code under your domain, bypassing the Same Origin policies of the browser. For more information refer to #289

However I have no idea where to put it :D

[s-ol]

another option might be to (allow to) blacklist a subset of MIME types (specifically text/html, and probably some others like application/x-shockwave-flash). There could be a sane default setting with a simple way of disabling it entirely (and a big reference on the wiki) or specifying custom filters.

[Faberle]

I would actually prefer that option and force the developer to explicitly turn this protection of if it's needed. So they don't do it on accident.
But I don't know this library well enough to code it :D

[dr-dimitru]

But I don't know this library well enough to code it :D

Well, it acts as middleware (unless it's public, when files served by proxy), I guess security hook can be added, speaking generally it will be as same as interceptDownload, where you can work directly with response stream.

[dr-dimitru]

Related to #313