-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add hints about file content validation. #1452
base: master
Are you sure you want to change the base?
Conversation
malicious-document.pdf: PDF document, version 1.4 | ||
``` | ||
|
||
Therefore, it is recommended like mentioned above for images, to apply document rewriting techniques to destroys any kind of malicious content embedded. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why the output of 'file' in this case shows what it does makes perfect sense, but this is really only a problem if your OS (or perhaps your PDF viewer) is going to attempt to execute the 'malicious-file.exe' part, which seems a stretch even for Windows OS. I have seen malicious content injected into PDFs via JavaScript links and leveraging bugs in common PDF viewers such as Adobe Acrobat Reader, but it was never anything as simple as this.
So, so you have a documented case where something was exploited using this simple approach? If so, I'd like a reference to it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is critical that untrusted uploaded files staged in public directories are assigned file permissions of read only at the OS level. That is my only execution concern overall.
Here is an example of a GIF that runs as a jar. Old school: https://hackaday.com/2008/08/04/the-gifar-image-vulnerability/#:~:text=The%20attack%20is%20simply%20a,picture%20and%20trusting%20the%20content. |
Fair enough, but 1) that's one reason why no one ever allows applets anymore, and 2) based on the description of
(Emphasis mine.) There comes a point where we can try to be defensive and to do due diligence to provide a safe harbor (like ESAPI does against XSS attacks because of buggy browsers) or we say "screw it; performance is more important" (e.g., the approach that the OWASP Java Encoder takes). Neither approach is really wrong, but being cautious does have performance hits, In that sense, I would argue that if you haven't done a threat model to justify that this is reasonable for your particular application, you probably shouldn't be trying to defend against it. Lastly, that said, if we are going to put in verbiage that people need to be cautious and rewrite whatever file type they get, then we definitely ought to add something t address the ever looming danger of Windows NTFS Alternate Data Streams. I remember experimenting with that in the early 2000s where I created a simple .txt file that would open calc.exe as the alternate data stream. That seems to be a broader danger than what is mentioned here because it's by design and AFAIK, still present in NTFS. (I'm not sure; I have used Windows since the Windows 7 days.) But we don't even mention NTFS Alternate Data Steams at all in the current File Upload CS. |
I still think this is a very good addition. These types of attacks have high impact when they work. |
@jmanico - The general idea is good, but I think the example is unrealistic / too simplistic. If the example was converted to using Windows NTFS alternative data streams (which, IIRC, was almost that simple to exploit), I'd be in favor of keeping it, but I'm just convinced that it will work otherwise, unless there's a bug in the PDF view that's being used. |
Can we come up with a better explanation then? This is an important control. Here is some light AI reading on the topic. Why Validate File Contents? Malicious File Uploads: File Type Mismatch: Resource Exhaustion: Data Exfiltration and Information Disclosure: Cross-Site Scripting (XSS): Exploitation Techniques Directory Traversal: Content-Type Mismatch and Bypass: Phishing: |
@jmanico - I agree that we need something. My primary objection was to the specific example(s) that were proposed. It's just not that simple (well, except when it involves NTFS alternate data streams). I just re-checked our File Upload CS and there is zero mentioned about the fact that SVG images really an XML document and JavaScript can be embedded in it, allowing things like avatars as SVG images could be a source of persistent XSS. So, yes, we definitely have a few gaps here. OTOH, one of the things that makes this so difficult is that you almost have to do it on a per file type basis. The techniques that are recommended for (say) image types like PNG or JPG won't necessarily work for images. And given that and how extensive your AI generated list of concerns is, we'd probably double or triple the length of the current OWASP File Uploads Cheat Sheet (which is at about 6 printed pages as of the time of this comment). Thus, I think we need to:
|
@jmanico and @righettod comments from @kwwall are valid in my opinion but it would be also a wast if we do not commit anything. Do you want to try to add more details to make it rock solid? We can also add a comment when this code will be fine and when reader need to add more protections. |
I agree, and suggest we just come up with a more modern example. Fair enough Kevin and others. |
Hello,
💬This PR enrich the hints on validation against a file content regarding a malicious file added to the end of the source file. In addition, I removed the section about my repo because it is not relevant anymore.
📖My sources are based on my tests documented here.
✅My contribution respect the rules specified in the PR template:
[TEXT](URL)
😉Thanks in advance.