Skip to content

Fix file upload security loopholes#14

Merged
nehabagdia merged 7 commits intomainfrom
fix/file_upload_security
Feb 29, 2024
Merged

Fix file upload security loopholes#14
nehabagdia merged 7 commits intomainfrom
fix/file_upload_security

Conversation

@gaya3-zipstack
Copy link
Copy Markdown
Contributor

@gaya3-zipstack gaya3-zipstack commented Feb 28, 2024

What

While a file is uploaded to Prompt studio for indexing, file checks are missing and hence this can cause security issues.

Why

Security loopholes will enable attackers to upload malicious content and in turn cause various types of attacks on the Unstract system.

How

Prevented using the following types of checks

  • file extension check (only pdf supported)
  • file content type check (only pdf supported)
  • file size limitation check

Relevant Docs

Related Issues or PRs

Dependencies Versions / Env Variables

Notes on Testing

  • Uploading a file with wrong extension
  • Uploading file with right extension but wring content type
  • Uploading files with size greater than specification

Screenshots

...

Checklist

I have read and understood the Contribution Guidelines.

@gaya3-zipstack gaya3-zipstack marked this pull request as ready for review February 29, 2024 09:35
@nehabagdia nehabagdia merged commit e8df8ab into main Feb 29, 2024
@nehabagdia nehabagdia deleted the fix/file_upload_security branch February 29, 2024 09:44
chandrasekharan-zipstack
chandrasekharan-zipstack reviewed Feb 29, 2024
View reviewed changes
Comment thread backend/utils/FileValidator.py

from django.core.exceptions import ValidationError
from django.template.defaultfilters import filesizeformat
from django.utils.translation import gettext_lazy as _
Copy link
Copy Markdown
Contributor

@chandrasekharan-zipstack chandrasekharan-zipstack Feb 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gaya3-zipstack are these imports used? Did you run it against pre-commit

chandrasekharan-zipstack
chandrasekharan-zipstack reviewed Feb 29, 2024
View reviewed changes
Comment thread backend/file_management/serializer.py

class FileUploadSerializer(serializers.Serializer):
file = serializers.ListField(child=serializers.FileField(), required=True)
file = serializers.ListField(
Copy link
Copy Markdown
Contributor

@chandrasekharan-zipstack chandrasekharan-zipstack Feb 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gaya3-zipstack will this impact file upload for workflows / API deployment as well? We'll have other file types to allow in that case

pk-zipstack pushed a commit that referenced this pull request Aug 20, 2025
@gaya3-zipstack
Fix file upload security loopholes (#14)
16a1390 
* Add file upload validation

* Code formatting

* Code formatting

* Change values to constants
@coderabbitai coderabbitai Bot mentioned this pull request May 7, 2026
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chandrasekharan-zipstack chandrasekharan-zipstack chandrasekharan-zipstack left review comments

@jaags-dev jaags-dev jaags-dev approved these changes

@Deepak-Kesavan Deepak-Kesavan Awaiting requested review from Deepak-Kesavan

@hari-kuriakose hari-kuriakose Awaiting requested review from hari-kuriakose

+1 more reviewer

@nehabagdia nehabagdia nehabagdia approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gaya3-zipstack @jaags-dev @nehabagdia @chandrasekharan-zipstack