make ASP.Net file upload secure

Question

I'm creating an ASP.Net form with a fileupload control which will then email the details of the form and the file to another admin. I want to ensure this secure (for the server and the recipient). The attachment should be a CV so I will restrict it to typical text documents.

From what I can tell the best bet is to check that the file extension or MIME Type is of that kind and check it against the "magic numbers" to verify that the extension hasn't been changed. I'm not too concerned about how to go about doing that but want to know if that really is enough.

I'd also be happy to use a third party product that takes care of this and I've looked at a couple:

blueimp jQuery file upload http://blueimp.github.io/jQuery-File-Upload/

and cutesoft ajaxuploader http://ajaxuploader.com/Demo/

But blueimp one still seems to require custom server validation (i guess just being jQuery it just handles client-side validation) and the .net one checks the MIME-type matches the extension but I thought the MIME type followed the extension anyway.

So,

Do I need to worry about server security when the file is added as an attachment but not saved? Is there a plugin or control that takes care of this well? If I need to implement something for server validation myself is matching the MIME-type to the "magic numbers" good enough?

I'm sure nothing is 100% bulletproof but file upload is pretty common stuff and I assume most implementations are "safe enough" - but how!?

If it's relevant, here is my basic code so far

<p>Please attach your CV here</p>
<asp:FileUpload ID="fileUploader" runat="server" />

and on submit

MailMessage message = new MailMessage();
if (fileUploader.HasFile)
{
    try
    {
        if (fileUploader.PostedFile.ContentType == "text")
        {
            // check magic numbers indicate same content type... if(){}

            if (fileUploader.PostedFile.ContentLength < 102400)
            {
                string fileName = System.IO.Path.GetFileName(fileUploader.PostedFile.FileName);
                message.Attachments.Add(new Attachment(fileUploader.PostedFile.InputStream, fileName));
            }
            else
            {
                // show a message saying the file is too large
            }
        }
        else
        { 
           // show a message saying the file is not a text based document
        }
    }
    catch (Exception ex)
    {
        // display ex.Message;
    }
}

Answer 1

A server can never be 100% secure, but we should do our best to minimize the risk on an incident. I should say at this point that I am not an expert, I am just a computer science student. So, here is an approach that I would follow in such a case. Please, comment any additional tip you can give.

---

Generally speaking, to have a secure form, all client inputs must be checked and validated. Any information that does not origin from our system is not trusted.

Inputs from the client in our case:

• file's name
  • name
  • extension
• file's content

Extension

We don't really care about the minetype, this is info for a web server. We care about the file extension, because this is the indicator for the OS on how to run/read/open a file. We have to support only specific file extensions (what ever your admin's pc can handle) there is no point supporting unknown file types.

Name (without the extension)

The name of the file is not always a valuable info. When I deal with file uploading I usually rename it (set it) to an id (a username, a time-stamp, hashes etc). If the name is important, always check/trim it, if you only expect letters or numbers delete all other chars (I avoid to leave "/", "\", "." because they can be used to inject paths).

So now we suppose that the generated file name is safe.

Content

When you support no structured files, you just can not validate the file's content. Thus, let an expert program do this for you... scan them with an antivirus. Call the antivirus from the console (carefully, use mechanics that avoid injections). Many antivirus can scan zips contents too (a malicious file, in a folder on your server is not a good idea). Always keep the scan program updated.

---

On the comments I suggested zipping the file, in order to avoid any automatic execution on the admin's machine and on the sever. The admin's machine's antivirus can then handle it before unzip.

Some more tips, don't give more information's to the client than he needs... don't let the client know where the files are saved, don't let the web-server access them for distribution if there no need to. Keep a log with weird actions (slashes in filenames, too big files, too long names, warning extensions like "sh" "exe" "bat") and report the admins with an email if anything weird happen (it is good to know if your protections work).

All these creates server work load (more system holes), so you may should count the number of files that are scanned/checked at the moment before accepting a new file upload request (that is where I would launch a DDoS attack).

With a quick google search Avast! For Linux - Command Line Guide, I do not promote Avast, I am just showing it as an existing example.

Lastly but not least, you are not paranoid, I manage a custom translation system that I coded... spams and hack attacks have occurred more than once.

---

Some more thoughts, JavaScript running on a web-page is only secure for the client's computer (thanks to the browser's security). We can use it to prevent invalid posts to the server but this does not ensures that such requests will not be done as JavaScript can be bypassed/edited.

So, all JavaScript solutions are only for a first validation (usually just to help the user correct mistakes) and to correctly set the form data.