Insecure file upload - Files Limit
Need
Enforce file upload limits to prevent resource exhaustion and potential security risks
Context
• Usage of C# for developing robust and efficient software applications
• Usage of Microsoft.AspNetCore.Http for handling HTTP requests and responses in ASP.NET Core applications
• Usage of System.IO for Input and Output operations in .NET development
• Usage of System.Threading.Tasks for asynchronous programming in .NET
Description
1. Non compliant code
using Microsoft.AspNetCore.Http;
using System.IO;
using System.Threading.Tasks;
public class UploadController : Controller
{
[HttpPost("UploadFiles")]
{...The above code represents an endpoint in an ASP.NET Core application that allows for the uploading of files. The `UploadFiles` method is decorated with the `HttpPost` attribute, indicating that it responds to HTTP POST requests. This method accepts a list of files as input, which are instances of `IFormFile`. The number of files that can be uploaded is not limited in any way. This is a security vulnerability, as an attacker could potentially upload an unlimited number of files, potentially causing a denial of service by filling up the server's storage or causing other performance issues. Moreover, the uploaded files are stored in the server's temporary files directory and are not deleted after they have been processed. This could lead to a situation where the server's storage is filled up with old, unnecessary files. The `size` variable is used to calculate the total size of all uploaded files, but it does not limit the total size or number of uploaded files. The method returns an HTTP 200 OK response, along with a JSON object that includes the number of files and total size of the uploaded files.
2. Steps
• Implement a limit on the number of files that can be uploaded per unit of time.
• Delete the previous files from the server before uploading a new one.
• Validate the file size before saving it to the server.
• Use a secure file storage location instead of the temporary folder.
3. Secure code example
using Microsoft.AspNetCore.Http;
using System.IO;
using System.Threading.Tasks;
using System.Linq;
using System.Collections.Generic;
public class UploadController : Controller
private const int MaxFilesPerHour = 100; // Set your limit...The code above is a modification of the original file upload controller. It introduces a limit on the number of files that can be uploaded per hour, and it deletes the previous file before uploading a new one. The `MaxFilesPerHour` constant sets the limit on the number of files that can be uploaded per hour. The `FileUploads` dictionary keeps track of the files that have been uploaded and the time they were uploaded. In the `Post` method, we first check if the number of files uploaded in the last hour plus the number of files being uploaded now exceeds the limit. If it does, we return a "Bad Request" response. Then, for each file in the request, we delete the previous file (if it exists) before saving the new file. We also add the file to the `FileUploads` dictionary with the current time. Finally, we remove entries from the `FileUploads` dictionary that are older than 1 hour. This code ensures that the number of files uploaded per hour does not exceed a certain limit, and it prevents old files from remaining on the server when new ones are uploaded.
References
• 354. Insecure file upload - Files Limit