How to download a file from a shared folder in asp.net using <a href>?

Question

Background:

There is an asp.Net MVC application, which I am currently re-creating without using MVC.

In the MVC application, the <a> elements that enables users to download a document is like:

<a href="/api/file/2187/filter.jpg" target="_blank">download</a>

and it works when I click download, because I could use a method like below in MVC:

public async Task<IActionResult> Download(string path)
{
    var memory = new MemoryStream();
    using (var stream = new FileStream(path, FileMode.Open))
    {
        await stream.CopyToAsync(memory);
    }
    memory.Position = 0;
    return File(memory, GetContentType(path), Path.GetFileName(path));
}

Note that there is an HTML table with 500+ rows in the page, some data has a file to be downloaded and for only those rows, the href link exists in a specific cell.

Here, when I try to visit http://myapplication/api/file/2187/filter.jpg , I could see the link exists.

Problem:

I couldn't use the same Download method in .net only Application because IActionResult looks for the namespace Microsoft.AspNet.MVC . Tried to set the <a> element in my asp.net application like below:

<a href="\\myfolder\myapp\file\2187\filter.jpg" target="_blank">download</a>

However, this does not work in Chrome giving me the error: Not allowed to load local resource

I couldn't find a way to create a link on http for the file like the way it is in the MVC application. How can I enable a link in the application like: http://myapplication/api/file/2187/filter.jpg to use in the href?

Note: The files to be downloaded are located in a Shared folder, can't move them into my local PC or can't import them inside the project etc..

Note 2: There should be no page-refresh after downloading the file.

Any help or advice should be appreciated! Thanks.

Answer 1

File Paths Should Not Be Accepted From URL or Query String:

I would strongly recommending not using filepath in the querystring or URL. I see in the code that you are not validating the filePath and directly downloading a file. This can be very dangerous. People can try downloading web.config or any other file on your web server if the permissions are not set correctly or if there is no other mechanism to block such request.

I would strongly recommend using Indirection for file download.

What is Indirection ?

In indirection, you would create an identifier for the file. It may be a GUID as well. Then you can accept this GUID through QueryString or through URL. Then in your action you would map it to right file and then download it.

Code Example:

Below code example, uses file ID.

When the file id is passed, it tries to get the file details in CustomDocumentObj . These details contains actual file path.
You can then perform validations to check if this is the application related file and if your application allows to download that file.

public class ServiceController : Controller
{
   public ActionResult DownloadFile(string id)
   {
       CustomDocumentObj document = new CustomDocumentObj(Int32.Parse(id));
       // OPTIONAL - validation to check if it is allowed to download this file.
       string filetype = Helpers.GetMimeType(document.FilePath);
       return File(document.FilePath, filetype, Path.GetFileName(document.FilePath));
   }
} 

Then in URL it can be something like below:

<a href="/Services/DownloadFile/1">Download File</a>

Refer this blog for further details.