Search code examples
c++file-uploadfile-formatcode-injection

Downloading custom file formats

I've been tasked with allowing users to upload files to a webpage, and then other users can download that file.

The file format is a custom one, for this example I'll just call it .ccx. This is opened by our own custom software. The idea is, users can upload tutorial files to share with each other.

However, I'm concerned that someone could engineer a .ccx file to implant a virus on the users computer. This could have a very negative impact on our site if ever such a file was engineered, users would become fearful of downloading, and our competitors might use that to take advantage of us.

  • How can I as a web developer make sure that uploaded files are safe? I know it's not possible to be 100% sure, but I want to improve on currently being 'very unsure'.

  • Also, in our custom software, what steps can be taken to ensure that the .ccx file wont cause harm to the users computer (A Windows program written in C++)? I'm talking about the exe equivalent of an SQL injection.

Thanks for all answers.

Solution

  • On the server, you can run any command line virus scanner over them and have them look for known virus signatures. However, it is questionable whether this will improve security: since the virus writers would need to taylor your format, it doesn't seem very likely that their malicious files would match any known signatures, secondly you have the risks of false positives, causing otherwise valid uploads to be rejected.

    You need to make your client app's handling of the file format as secure as possible. This means:

    • Do not trust the input files. Validate everything. Don't be fault tolerant. If you are in control of the only application that writes such files, then any unexpected byte should trigger alarm bells.
    • Do extensive testing (for example some kind of fuzzy testing to simulate random input changes)
    • Design your file format as simple as possible. If the file format is complex, the implementation will be, too. And the more complex the implementation, the more format features to handle, the higher the risk of security vulnerabilities becomes.
    • Make sure you use OS security features, such as DEP or ASLR.
    • Ensure that all developers working on the project know about common security vulnerabilities and how to avoid them.
    • If you are really, really worried about possible attack vectors, try sandboxing the loading code. This can, for example, be achieved by using an embedded scripting language.

    You can never be 100% sure that your code is secure. So better take some precautions:

    • Implement automatic updates to be able to patch security holes quickly.
    • Warn users not to open files from untrusted authors (and tell them you're not liable for any damage caused by 'infected' files ...).