Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
[SECURITY] Static Links to uploaded files #986
About audited Directus version.
In Internet systems, there is sometimes a file upload mechanism, which allowing the user to upload files to share information between entities that communicate through the application. Files upload mechanism often generate direct links to download the uploaded files from the system. These mechanisms sometimes choose a name of file and store the uploaded file according to the name the chosen on the web server. A mechanism that defines file names in a sequence numbers is an insecure mechanism because it allows guessing of uploaded files more easily, thus allowing access to sensitive personal information.
After exploiting this vulnerability, an attacker can easily guess links to uploaded files.
During the test, it was found that the application’s upload files mechanism generates static links to uploaded files, thing that allows an attacker to get access to uploaded files that were uploaded into the system, even if were uploaded by other users.
What problem does this feature solve?
Fixes security hole.
How do you think this should be implemented?
Would you be willing to work on this?
Maybe, with help/guidance from Directus team.
As we are going to implement UUID feature for file uploading system, guessing the file name is near to impossible.
Please share your thoughts on it.
We need to pay attention to the subtle difference between this and #987 though. This issue states
By using UUIDs, this will not be fixed, as it's still a public static link.
The business risk will be fixed though:
As the UUID is way harder / impossible to guess. That being said, a UUID is not a hash or any other cryptographically secure method of generating file names, so one could theoretically work out the UUID structure and programmatically "guess" filenames.
@rijkvanzanten You are right, with UUID, we will be only able to achieve the solution so that attacker can't guess the file names.