2

We had to implement an image uploader for a node.js project. As framework we are using express.js We did it like described here: http://howtonode.org/really-simple-file-uploads

But we are not sure how to secure this image uploader. What we did so far is:

  • checking the file size
  • checking extension and header
  • rename the file
  • file is only accessible over a special route and is not in the root folder

Is this enough? We don't feel very comfortable with the following line:

    // CHECKING FOR FILESIZE, EXTENSION, HEADERS
    fs.readFile(req.files.displayImage.path, function (err, data) {
        ...
        ...
        ...
        // RENAMING FILE
        // SAVE FILE
        ...
        ...
        ...
    }

Is it save to read the image this way? We are afraid, there could be malicious code in req.files.displayImage.path. Do we need to add more checks or are our checks sufficient? What attack vectors do we offer an attacker if we use the code as described?

Thank you for your advices Tschoartschi

tschoartschi
  • 1,453
  • 2
  • 14
  • 23
  • Reading bytes into a `Buffer` cannot execute malicious code. – SLaks Jul 17 '13 at 14:35
  • Thank you for your answer. But we read the file into a buffer and then save it to disk. So what problem could arise if we save an image with malicious code to disk? – tschoartschi Jul 17 '13 at 22:55
  • Writing bytes to disk cannot execute malicious code. Security holes happen when you try to interpret the bytes and have a bug. – SLaks Jul 18 '13 at 13:32
  • Thank you also for this advice. As far as we see the problem, there is no great security danger for our server, because we don't do anything with the bytes of the image. But is there a security risk for users who get the image? Because we deliver the images to several user and we don't what our server to become a distributor of malicious code! We read somewhere, that it is a good idea to reprocess the image, but we don't get it how this removes malicious code. – tschoartschi Jul 19 '13 at 08:29
  • That is true. Images can have evil headers or other data that triggers security holes in some image parsers. If you read the image, then re-encode it yourself, you are likely to remove that. However, if the image exploits a security hole in the library you use to read the image, you will be in trouble. – SLaks Jul 19 '13 at 15:01
  • 1
    Okay, then the is choice between, opening a possible exploit on our server or delivering malicious code to the user. It would be interesting how the big players handle stuff like this. So would it be possible to distribute an image with malicious code via e.g. Facebook or Tumblr? There arises one question: "Is it for a two men project better to shift the security risk to the user and dont process images on the server?" – tschoartschi Jul 22 '13 at 09:50

1 Answers1

0

If you are concerned for opening malicious images on client side as posted in your comments. Try opening third party scripts and untrusted files inside a sandboxed iframe this will protect your users.

CommonSenseCode
  • 23,522
  • 33
  • 131
  • 186