ASP.NET MVC5 download best security best practices?
We are creating an ASP.NET MVC5 web application that includes file uploads.
Users must sign in using the ASP.NET Identity Framework.
Files are stored in a database (we are interacting with a legacy application) and each file is identified by a standard integer primary key.
We plan to serve files as follows:
-
The user requests the file using their ID, eg.
http://www.example.com/getFile?fileId=5
-
The controller then checks to see if the requesting user is allowed access to this file (using some complex business rules) and if the file is successfully transferred to the user.
I've been researching best practices but am struggling to find specifics as most of what I've read is about a scenario where files are read from physical paths and so the recommendation is to spoof the filename in the request.
We could trick the file ID, but I don't see much point in that if the controller would check the user's access to the file on every request.
Is our approach sufficient or should we do it differently, if yes, what is recommended, please
source to share
Your approach is sufficient. If your authorization rules in your controller adequately protect files, then this is all you need.
The only information leak is the use of what is supposedly the primary key of the file in the database in the URL that is used to request the file. This could potentially create a vulnerability if, for example, another part of your application is vulnerable to SQL injection attacks, and an attacker uses the IDs in your URL to create a SQL injection attack to retrieve a file with a specific ID. Whether this is a risk in practice, however, depends on how vulnerable your application is to SQL injection attacks as well, and most attackers are probably guessing or crudely forcing identifiers in some way, so there may be little practical benefit to masking them, even if you are vulnerable to SQL Injection Attack - the best trick in this case is just to make surethat you didn't.
source to share
I once created something similar.
The user requested the file, we confirmed that the user can access the file and then transfer it to their browser. One thing we did was keep the files outside of the web application folder. This ensured that the files did not end up in Google by accident, and is also more secure, since attackers cannot use the full file path to download the file directly.
You can easily confuse the filename. Look at this code for example:
public FileResult Download()
{
byte[] fileBytes = System.IO.File.ReadAllBytes(@"c:\folder\myfile.ext");
string fileName = "myfile.ext";
return File(fileBytes, System.Net.Mime.MediaTypeNames.Application.Octet, fileName);
}
in the variable "filename", you put the file that the user will see. It could be anything.
Hope it helps.
source to share