TTC
Theo's Typesafe Cult•7mo ago
Asger

Security: How to genuinely not allow HTML?

How do you guys do it? I can create a FileRouter and not include blob or text as file types 
const f = createUploadthing();

export const ourFileRouter = {
  fileUploader: f({
    image: stdConfig,
    video: stdConfig,
    audio: stdConfig,
    pdf: stdConfig,
  })
  ...
}
const f = createUploadthing();

export const ourFileRouter = {
  fileUploader: f({
    image: stdConfig,
    video: stdConfig,
    audio: stdConfig,
    pdf: stdConfig,
  })
  ...
}
And now when I use the UploadDropzone or UploadButton component, I cannot select files with the file extension .html. Partial success! I can still upload HTML files though, as long as I disguise them as PDFs or something else that I allow. This file is fine, according to UploadThing: 
$ cat html_file.pdf 
<html><body><script>alert('You have been hacked')</script></body></html>
$ file html_file.pdf 
html_file.pdf: HTML document, ASCII text
$ cat html_file.pdf 
<html><body><script>alert('You have been hacked')</script></body></html>
$ file html_file.pdf 
html_file.pdf: HTML document, ASCII text
So my question is what do you guys do? Do you read and sanitize files? That's a lot of computation. Maybe you can use something like the Unix file command? Looking for ideas here 🙂 Best regards, Asger
2 Replies
michaeldrotar
michaeldrotar•7mo ago
User input is never to be trusted. Validation is only a guide to help people, not to secure anything. I don't think there's a general answer to "not allow html." It was literally recommended when sending a zip in Outlook to just change the extension to txt and provide instructions for the recipient to change it back because Outlook would commonly block zip files. From what I can see, if users can upload image, video, audio, and pdf files and if someone masks an html file as being one of those, that doesn't seem harmful to you. That does not equate to "you've been hacked." They'd only be hacked, potentially, if the code were executed as html code. You can try to render it as an image safely and it'll just fail. You can try to play it safely and that'll fail too. Users can download it and their PDF render will likewise safely fail to render it.
Asger
AsgerOP•7mo ago
I see what you mean. Only .html files will be opened by the browser.
Want results from more Discord servers?
Add your server