Open benfoley opened 4 years ago
Depending on the threat model you will want to be very careful with user uploaded files. At a minimum you will want to make sure that you have a whitelist for file types then check the contents of the file types to make sure they are actually the types of files that they are claiming to be and to upload them into a completely different path from where the code is executing from. Set permissions accordingly.
Also make sure that you don't allow path traversal attacks.
When Elpis is running locally this isn't such a big concern, but if we want to run as a server we should so some (at least basic) file validation in
wrappers/objects/dataset.py
add_fp()