Would anyone know if UmbracoForms provides any out of the box protections for the file upload field?
Thinking things like checking that the supplied file restricted by extension looks like the filetype it says it is (string comparison or bytes?).
Umbraco supplies a FileStreamSecurityValidator that runs all registered IFileStreamSecurityAnalyzer implementations on the file streams it receives from it’s different file upload endpoints
Yep I read the same, so the question is what out of the box IFileStreamSecurityAnalyzers are there… though as ever with security knowing what’s exisiting in and of itself provides a surface for probing..
Umbraco doesn’t implement any IFileStreamSecurityAnalyzers in Forms or in Core - it’s up to you to implement if you want/need to. All forms does is validate the extension against allowed/disallowed types[1].
I’ve been round the houses a bit on this, and would recommend talking to the client about what kind of protection they want and being open about what’s there. Clients that care about infosec should have someone to help you work out what kind of protection they want/need.
Some clients will be happy to mitigate via scanning on infrastructure (which is more normal IME).
For one client we’re scanning binary signatures on upload, parsing PDFs and SVGs and stripping out exploitable elements etc. - lots of IFileStreamSecurityAnalyzers. But they’re a finserv and want a more belt-and-braces approach.
Bear in mind that once you start doing something with a file, as opposed to just writing the binary to storage, there’s every chance you’re introducing a new attack vector to your Umbraco site.
From what I can see from decompiling the NuGet package. ↩︎
Jason, thanks for sharing your valuable experience, to lean on you a little more…
Would I be correct in assuming that as Azure blob storage doesn’t have windows defender and active real-time scanning as standard (paid extras) that having that binary in the blob store doesn’t allow for virus/malware execution. So to some extent we can lean on the clients existing internal protections against accessing any pdf/img on the web?
Also in the event of IFileStreamSecurityAnalyzer providing a positive hit, what’s the process here… does it bubble back up to UForms and stop the entire entry being written, give scope to blacklist the IP etc??
Or would we need to do that in a overriden uForms fieldType validation?
Not as standard, no - there’s an extra monthly cost plus a price per GB scanned. I know some people have hooked up AV scanning to to blob storage via the APIs but I don’t know details.
One approach I’ve used before is to spin off the whole upload responsibility into a microservice - a custom form field stores a GUID and some JS that handles posting the file to an endpoint (Azure function) that processed, validated and saved the file to blob storage. Those files never touched production infrastructure that matters.
Yes, exactly that. Users can treat form submissions just like any other random internet file they may come across - with suspicion. If files are attached to emails then they’ll likely get properly scanned so that’s a nice way to deal with it too.
All the registered IFileStreamSecurityAnalyzer 's are iterated by the IFileStreamSecurityValidator which is a validation step for Umbraco Forms and is carried out alongside checking the file extension is valid . Just like any other validator (say regex or whatever) it will reject the form submission and do nothing further until validation is fixed.
ASP.NET Core stores all posted files over 64KB as a temp file locally, nothing will happen with these files after the request and they’ll get cleaned up in Azure when the machine changes/restarts etc.
If you want to blacklist then yes, you will need to override the behaviour of the FieldType. I think the easiest approach is to override the ValidateField(), and check for the presence of the ErrorMessageForFailedSecurityCheck in the base method, then do any custom logic there before returning the list of errors.
