Preventing users from uploading malicious files

Question

My question is this - When using Azure Storage, is this handled for me or do I have to make sure the user doesnt upload something that could compromise the server?

What should I be protecting myself against when dealing with files and Azure Storage?

Answer 1

A possible solution, expecting that you want this functionality as a part of an application : You can make Web API app (or MVC app) in the Azure Cloud. This way you will have :

• Control over the files and extensions which your users can upload. Described here.
• Ability to scan for viruses the files that your users upload. Described here.
• Control of the upload process. Also you can redirect from stream. Described here. Look at "saving file as stream". This way tour WEB API application will act as a security relay.
• The benefit of the connection between the app and the blob - it will be very fast if they are in the same region. They will be most likely located very close to each other.

Answer 2

To my knowledge Azure Blob Storage does not have a built in way to prevent unwanted files from being uploaded if they are not prevented through user code. With Blob Storage a primary access key is required in order to upload files so the only way to get a file into storage will be through your exposed API [Website/App]. You will need to do file type validation there before allowing the user in. With this you can create SharedAccessSignatures that are valid for a set amount of time that will allow entrance into your storage account for file loading from an app or file loading through the web with CORS

Answer 3

As also mentioned in jigear's answer, account key or a Shared Access Signature with write access is needed to upload a new blob. Whether this blob contains a php file or not is not known by Azure Storage, since Azure Storage Service does not look at blob contents. How these blobs are used by your website is controlled fully by your website.