Skip to content

Rutix/FileUploadsSampleApp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits

.vscode

.vscode

 
 

Controllers

Controllers

 
 

Data

Data

 
 

Filters

Filters

 
 

Models

Models

 
 

Pages

Pages

 
 

Properties

Properties

 
 

Utilities

Utilities

 
 

wwwroot

wwwroot

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

Program.cs

Program.cs

 
 

README.md

README.md

 
 

SampleApp.csproj

SampleApp.csproj

 
 

Startup.cs

Startup.cs

 
 

appsettings.Development.json

appsettings.Development.json

 
 

appsettings.json

appsettings.json

 
 

Repository files navigation

Upload Files Sample App

This sample app demonstrates concepts described in the Upload files in ASP.NET Core topic.

Security considerations

Use caution when providing users with the ability to upload files to a server. Attackers may execute denial of service attacks, attempt to upload viruses or malware, and attempt to compromise networks and servers in other ways.

Security steps that reduce the likelihood of a successful attack are:

  • Upload files to a dedicated file upload area on the system, preferably a non-system drive. Use of a dedicated location makes it easier to impose security measures on uploaded content. Disable execute permissions on the file upload location.†
  • Never persist uploaded files in the same directory tree as the app.†
  • Use a safe file name determined by the app, not directly from user input or the untrusted file name of the uploaded file.†
  • Only allow a specific set of approved file extensions.†
  • Check the file format signature to prevent a user from uploading a masqueraded file (for example, uploading an .exe file with a .txt extension).†
  • Verify that client-side checks are also performed on the server. Client-side checks are easy to circumvent.†
  • Check the size of the upload and prevent larger uploads than expected.†
  • When files shouldn't be overwritten by an uploaded file with the same name, check the file name against the database or physical storage before uploading the file.
  • Run a virus/malware scanner on uploaded content before the file is stored.

†The sample app demonstrates an approach that meets the criteria.

Warning

Uploading malicious code to a system is frequently the first step to executing code that can:

  • Completely takeover a system.
  • Overload a system with the result that the system crashes.
  • Compromise user or system data.
  • Apply graffiti to a public UI.

For information on reducing the attack surface area when accepting files from users, see the following resources:

How to use the sample

  1. In the appsettings.json file:

    1. Set the connection string for a database where you intend to store uploaded file content. Confirm that execute permissions are disabled for all users at that location.
    2. Set the path for stored files.
    3. Set the file size limit.

  2. Perform an initial migration on the database:

    Visual Studio

    1. Open the Package Manager Console (PMC) Tools > NuGet Package Manager > Package Manager Console.

    2. In the PMC, execute the following commands:

      Add-Migration Initial
Update-Database

    Visual Studio Code / Visual Studio for Mac / .NET Core CLI

    From a command shell opened to the project's folder, execute the following commands:

    dotnet ef migrations add InitialCreate
dotnet ef database update

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages