4

I have an application where users can upload a file for us to perform some actions. The only expected filetype is JSON, and initially we restricted the uploads to be of type application/json.

However, we have one user who, when they try to upload JSON files gets errors. We can update the application to allow files of type application/octet-stream and get things working, but this seems semantically.

I don't know much about application/octet-stream. In my searches I haven't learned much more. It seems that some browsers may convert files to this type when they don't know what to do with it; sometimes this error can be thrown when a file extension is not present (we have tested it with and without and still get the same issue); and it seems like this type allows files of type .exe and whatever else to be uploaded.

Are there security risks if we allow users to upload files of type application/octet-stream? Why or why not?

Ben Parizek
  • 268
  • 3
  • 16

1 Answers1

3

After posting my question, it got me searching about my question from a different angle. I think my question is answered in this thread:

What security issues appear when users can upload their own files?

Bob Aman writes:

If you allow users to upload scripts and executables, you should make sure that anything uploaded via that form is never served back as anything other than application/octet-stream. Don't try to mix the Content-Type when you're dealing with potentially dangerous uploads. If you're going to tell users they have to worry about their own security (that's effectively what you do when you accept scripts or executables), then everything should be served as application/octet-stream so that the browser doesn't attempt to render it. You should also probably set the Content-Disposition header. It's probably also wise to involve a virus scanner in the pipeline if you want to deal with executables. ClamAV is scriptable and open source, for example.

Community
  • 1
  • 1
Ben Parizek
  • 268
  • 3
  • 16