Rails: what security issues come with extracting text from user-submitted files?
Question
If users of an app are able to submit flat text files, and these files have data pulled from them by a program using a regex (which is then returned to the user), how can this be abused?
I know there are concerns with executable files or unsanitized filenames when they're being saved , but I don't know what the risks are with just opening and parsing a file that lasts temporarily in memory.
Thanks.
1 answers
solution1
0 ACCPTED 2013-03-21 16:04:07
It depends very much on the implementation of this theoretical system. The big two vulnerabilities are:
SQL Injection . If you are committing this data to a database and do so in an improper manner, you could expose your database to whatever maliciously-formatted data the user uploads.
Cross-Site Scripting . If you're rendering the results of the upload as HTML, you potentially allow an XSS vulnerability if the results aren't properly escaped.
Proper handling of user input can reduce these problems. Generally though much depends on the actual implementation details of your code. If you're eval ing user input, obviously, that's also an enormous security flaw... but it's not something we can see at this level of detail.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.