civiform / civiform

CiviForm simplifies the application process for government benefits programs by re-using applicant data for multiple benefits applications. It's being developed by Google.org and Exygy, in collaboration with the City of Seattle and community contributors.
https://civiform.us
Apache License 2.0
84 stars 55 forks source link

Client-Side File Upload Validation Bypass #6982

Open dkatzz opened 1 month ago

dkatzz commented 1 month ago

Describe the bug The program's image upload functionality relies on client-side file type checks, which can be bypassed. This allows an attacker to upload potentially harmful files disguised with permitted extensions.

Recommendations

dkatzz commented 1 month ago

@caitlinshk I remember chatting about something similar and it being difficult to validate anything on the server side because we send the file straight to AWS and their error messaging isn't great, right?

caitlinshk commented 1 month ago

It is actually possible to have AWS validate the file type, we just need to set it up - see https://github.com/civiform/civiform/issues/6301.

It's true that if a user bypasses the client-side type check and uploads a disallowed filetype, then they'll see an ugly AWS error and not be redirected back to CiviForm. But, that seems fine since the people doing that would likely be malicious attackers.

gwendolyngoetz commented 1 month ago

Also related to https://github.com/civiform/civiform/issues/5218