Open to-sta opened 9 months ago
Information that I found on this during Code Brunch 🍞☕:
identify --warnings
from https://imagemagick.org/index.phpThe following is also a useful chatbot output on the question "What are some steps that should be taken in a Django app to make sure that image uploads are not malicious?":
1. Use Django's Form Handling with FileField or ImageField: Django's forms provide built-in validation for file uploads. Use FileField or ImageField in your Django model forms to handle file uploads securely.
2. Implement Client-Side Validation: Utilize client-side validation using JavaScript to ensure that only certain file types are allowed to be uploaded. You can also check the file extension and file size before submitting the form to the server.
3. Server-Side Validation: Even though client-side validation is important, it can be bypassed. Therefore, always perform server-side validation as well. Django provides validators for file uploads. For example, you can use validate_image_file_extension to validate that the uploaded file is an image and not a disguised malicious file.
4. Use a Secure File Storage Backend: Django provides different file storage backends. Use a secure file storage backend like FileSystemStorage or Amazon S3 with proper access controls and permissions.
5. Implement Image Processing Libraries with Caution: If your application requires image processing, use trusted libraries like Pillow. Be cautious when accepting user input for image processing operations to prevent security vulnerabilities like Remote Code Execution (RCE).
6. Scan Uploaded Files: Consider integrating antivirus or file scanning services to scan uploaded files for malware or malicious content.
7. Limit File Upload Size: Configure Django settings to limit the size of uploaded files to prevent denial of service attacks and disk space exhaustion.
8. Implement Content Security Policy (CSP): Utilize CSP headers to control from where your application can load resources, including images. This can help mitigate the risk of loading malicious content from untrusted sources.
9. Regularly Update Dependencies: Keep your Django application and its dependencies up to date to patch security vulnerabilities and ensure that you are using the latest security features.
10. User Authentication and Authorization: Ensure that only authenticated and authorized users are allowed to upload files to your Django application. Implement proper user authentication and authorization mechanisms.
Interesting 🤔
Along with the above, on the frontend side of things it looks like there's a well regarded security module for Nuxt that we should look at - Nuxt Security :)
Via discussions in the dev sync, some further restrictions for images that should be checked on both the frontend and backend would be:
What are we changing the filename to when it's sanitized?
Comment from Code Brunch 🍞☕ on this:
image.EXTENSION
from the start would be ok as once it's in the process of being put into the DB, we don't really need the filenamebill_and_cathy_vs_police_at_the_climate_protest.png
...CC @wkyoshida and @bozmen
Terms
Description
Let's discuss how we can protect against malicious user uploaded images/files?
We should consider protection mechansim on all level of our tech stack:
Here is note from the django documentation on that: Django