nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Use file to detect acctual mimetype #517

Closed mhf-ir closed 11 months ago

mhf-ir commented 4 years ago

How about using file for detect acctual mime type of file? https://github.com/file/file naxi block extension but if we uload binary exe file with .png extenstion?

wargio commented 4 years ago

yes, definitely agree with you and it would be cool do this, but keep in mind that this would kill perfs.

mhf-ir commented 4 years ago

Yeas you're right but in some cases needed even the performance affected. Naxi is awesome during our testing but in File uploading need some feature. Even integration with anti maleware. In some cases one of the requirement of Web layer protection.

wargio commented 4 years ago

if your framework is written in php i suggest to try https://github.com/jvoisin/snuffleupagus

mhf-ir commented 4 years ago

No i use nginx as front of other nginx and node.js/golang and might be PHP application. I think about general solution is the point for Naxi as WAF.

if request type is multipart/form-data
  => iterate files
     => get libmagic
        => check with naxi rules