Unlimit File Upload

Unlimit File Upload

Category: Security Misconfiguration

Severity: Medium

Description

The application should set proper size limits for the upload service in order to protect the file storage capacity. If the system is going to extract the files or process them, the file size limit should be considered after file decompression is conducted and by using secure methods to calculate zip files size. For more on this, see how to Safely extract files from ZipInputStream, Java's input stream to handle ZIP files.

The application should set proper request limits as well for the download service if available to protect the server from DoS attacks.

Impact

• Fill the storage volume of the server

Remediation

• List allowed extensions. Only allow safe and critical extensions for business functionality

• Ensure that input validation is applied before validating the extensions.

• Validate the file type, don't trust the Content-Type header as it can be spoofed

• Change the filename to something generated by the application

• Set a filename length limit. Restrict the allowed characters if possible

• Set a file size limit

• Only allow authorized users to upload files

• Store the files on a different server. If that's not possible, store them outside of the webroot

• In the case of public access to the files, use a handler that gets mapped to filenames inside the application (someid -> file.ext)

• Run the file through an antivirus or a sandbox if available to validate that it doesn't contain malicious data

• Ensure that any libraries used are securely configured and kept up to date

• Protect the file upload from CSRF attacks

https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload

https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html