search

microsoft / botbuilder-dotnet

Welcome to the Bot Framework SDK for .NET repository, which is the home for the libraries and packages that enable developers to build sophisticated bot applications using .NET.
https://github.com/Microsoft/botframework
MIT License
872 stars 480 forks source link

Security and Privacy: Location of where the AttachmentInput.cs uploads file to #6568

Closed dawwa closed 3 months ago

dawwa commented 1 year ago

Hi team, this is regarding to this action in Composer. https://github.com/microsoft/botbuilder-dotnet/blob/main/libraries/Microsoft.Bot.Builder.Dialogs.Adaptive/Input/AttachmentInput.cs

We observed that the attachment is always uploaded to a remote location that not owned by us, from checking the returned content url, which is something like

"contentUrl": "https://webchat.botframework.com/attachments/[CrlLiBoBCjTFPwD9Z1hzoU-us/0000004/0/2020-11-0519-19-07.mp4?t=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx(https://webchat.botframework.com/attachments/CrlLiBoBCjTFPwD9Z1hzoU-us/0000004/0/2020-11-0519-19-07.mp4?t=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx)

But I could not find where to specify a custom storage since we don't expect to upload files to somewhere not owned by us for security and privacy reasons.

Would you please help to understand how the current code works and where the files are actually uploaded? Any way we could specify a custom storage for it?

Thanks!

gandiddi commented 3 months ago

This is a duplicate of https://github.com/microsoft/BotFramework-Services/issues/350, raised by the same customer. Case 350 was closed with the comment: 'The attachment is stored in our internal blob storage and the TTL is 24 hours. We don't have a mechanism to use custom storage for this scenario. The customer confirmed that this meets their security requirements.'