File upload security
Many different web applications let users upload files remotely.
For example: WordPress lets you upload themes and plugins, Google lets you upload files on Google Drive, online apps like Canva let you upload your saved projects, and so on.
Chances are you will handle file uploads for your clients, too.
In this chapter you will learn how to do it securely.
File upload and validation
Remember the first chapter about variable validation?
You learned how variables set from untrusted sources must always be validated before you can use them.
The same principle applies to uploaded files too.
In fact, a file sent to your web application is just as untrusted as any request string value, because you have no control over the data your back-end will receive.
Therefore, the first step for a secure file upload process is, once again, variable validation.
This time, the variables you need to validate are:
- the file name
- the file size
- the file content
On top of that, there are a few more security practices to follow.
Let's start with file name validation.
- Many web applications let users upload files remotely.
- Uploaded files cannot be trusted: you must validate them.
- The specific variables to validate are the file name, the file size and the file content.