C3 AI Documentation Home

Validate file extensions when files are uploaded

The UiSdlFileUpload is a component to allow users to upload files. There are inherent risks to allowing users to upload content in any form, so this document will go over some ways to minimize risk when using this component.

Configuration

There are a few configurations that aid with security that will be talked about: allowableFileExtensions, UiSdlFileUpload#rejectInvalidFiles, and UiSdlFileUpload#fileSizeLimit.

allowableFileExtensions

This configuration allows you to set specifically which file types to allow. This allows you to control specifically what is uploaded. As a result, it's not recommended to allow any compressed file types (.zip, .tgz, etc.) since the contents of this may be quite large and may be a zip bomb in disguise. Keeping the allowed list of file extensions as concise as possible allows the most ease when creating security.

rejectInvalidFiles

This configuration provides the ability to reject files that users are incorrectly allowed to upload due to a Chrome bug. It should always be set to true.

fileSizeLimit

This configuration provides the ability to limit the total size of all files being uploaded at once. Setting this allows us to control how much data is being communicated and can help eliminate suspiciously large files.

Handling files

UiSdlFileUpload allows users to upload files, but it does not do anything with the files, so it's up to the developer to decide what needs to be done. This section will give some recommendations for proper file handling to mitigate risk.

Rendering files

If you will be directly rendering files, it's best to run some sort of scanner or sanitizer before doing so. Even seemingly harmless files like svgs can be vectors of attack, so it's always best to run extra checks before rendering directly.

Uploading files to C3 Server

When uploading files to C3 Server, it is recommended to be consistent in the APIs used to upload the file's data. Using fewer APIs creates fewer points of vulnerability and allows you to be more confident in security.

Was this page helpful?