We are using s3_file_field to upload videos directly to S3, and we are planning on using client side validations to make sure the uploads are within our size restrictions, but I'm worried that a hacker might be able to turn JS off, and upload a 500GB file to our S3 bucket.
In the past, whenever I've used client-side validations, I've also had server-side validations backing them up, so I've never been too concerned about users turning JS off, but we can't have server-side validations here as we're going directly to S3.
How easy is it for a hacker to get around client side validations? Is it just a case of turning JS off? Would it help if we disabled our upload form when JS is disabled?
Should we be implementing a worker or observer to sweep uploaded videos, and run validations on them sometime after they've been uploaded, and before they can be accessed by users?
There aren't any maximum file upload size constraints that you can place on an S3 bucket, per se. As far as I can find, there aren't any AWS policy provisions for that.
But S3 supports CORS, which is what s3_file_field
uses to make this direct upload work. If S3 supports the content-length-range
policy element of CORS, you can add that and then are probably covered.
Also s3_file_field is actually an extension of jQuery File Upload, and that has various validation options, including max_file_size
as documented here. In s3_file_field
the default max_file_size
is 500 megabytes and it appears you can override it.
Either way, if a user disables javascript, then they won't be able to run JQuery File Upload, which means they shouldn't be able to upload anything at all via CORS.
Just make sure you specify the AllowedOrigin
in production, as stated in the s3_file_field
docs.