Image Upload Validation

[to-sta]

Terms

• I have searched open and closed feature requests
• I agree to follow activist's Code of Conduct

Description

Let's discuss how we can protect against malicious user uploaded images/files?

We should consider protection mechansim on all level of our tech stack:

• Frontend
• Webserver (we plan to use nginx)
• Backend

Here is note from the django documentation on that:
Django

[andrewtavis]

Information that I found on this during Code Brunch 🍞☕:

• identify --warnings from https://imagemagick.org/index.php
• Scrubbing image metadata on entry to the server as a way to make sure that if there is a breach that this information doesn't get into the wrong hands
• Have a different VPS for images
  • Copy images over into a compressed format that's then used on the main server

The following is also a useful chatbot output on the question "What are some steps that should be taken in a Django app to make sure that image uploads are not malicious?":

1. Use Django's Form Handling with FileField or ImageField: Django's forms provide built-in validation for file uploads. Use FileField or ImageField in your Django model forms to handle file uploads securely.

2. Implement Client-Side Validation: Utilize client-side validation using JavaScript to ensure that only certain file types are allowed to be uploaded. You can also check the file extension and file size before submitting the form to the server.

3. Server-Side Validation: Even though client-side validation is important, it can be bypassed. Therefore, always perform server-side validation as well. Django provides validators for file uploads. For example, you can use validate_image_file_extension to validate that the uploaded file is an image and not a disguised malicious file.

4. Use a Secure File Storage Backend: Django provides different file storage backends. Use a secure file storage backend like FileSystemStorage or Amazon S3 with proper access controls and permissions.

5. Implement Image Processing Libraries with Caution: If your application requires image processing, use trusted libraries like Pillow. Be cautious when accepting user input for image processing operations to prevent security vulnerabilities like Remote Code Execution (RCE).

6. Scan Uploaded Files: Consider integrating antivirus or file scanning services to scan uploaded files for malware or malicious content.

7. Limit File Upload Size: Configure Django settings to limit the size of uploaded files to prevent denial of service attacks and disk space exhaustion.

8. Implement Content Security Policy (CSP): Utilize CSP headers to control from where your application can load resources, including images. This can help mitigate the risk of loading malicious content from untrusted sources.

9. Regularly Update Dependencies: Keep your Django application and its dependencies up to date to patch security vulnerabilities and ensure that you are using the latest security features.

10. User Authentication and Authorization: Ensure that only authenticated and authorized users are allowed to upload files to your Django application. Implement proper user authentication and authorization mechanisms.

[rigojr]

Interesting 🤔

[andrewtavis]

Along with the above, on the frontend side of things it looks like there's a well regarded security module for Nuxt that we should look at - Nuxt Security :)

[andrewtavis]

Via discussions in the dev sync, some further restrictions for images that should be checked on both the frontend and backend would be:

• Size limit: 5 MB
• Suggested dimensions should be included in the UI
  • 640px x 640px for org and group images
  • 512px x 640px for event images
• Format: PNG or JPEG
• Max number of images per org/group: 10
• Who can upload: "admins" for orgs and the respective group if it's a group page
• Eventually would be nice to have
  • Machine learning based image checks
• Sanitize image names of special characters and potential malicious strings

What are we changing the filename to when it's sanitized?

• Image name is changed to the image id after it's uploaded

[andrewtavis]

Comment from Code Brunch 🍞☕ on this:

• Changing the image name to image.EXTENSION from the start would be ok as once it's in the process of being put into the DB, we don't really need the filename
• Also important to change the name of the image to the UUID and remove ALL original filename information from it to protect users from mistakes on their end: bill_and_cathy_vs_police_at_the_climate_protest.png...

CC @wkyoshida and @bozmen