apoorv-2204

apoorv-2204

How to fix Insecure File Uploads in Elixir

Hi,
I want to fix the issue in my codebase where I can upload any binary or executable file in live view or in general file api input in Phoenix.

I have already added restrictions to only accept files like PDFs, PNGs, and JPEGs.

I also want to perform an antivirus scan. What should I do? Is there a library in Elixir for it?

Most Liked

kip

kip

ex_cldr Core Team

If your focus is primarily image file types then Image safely opens those files and errors if they aren’t valid image files (irrespective of the suffix). This is because libvips, which does all the work, is very conservative and security conscious about what it considers a valid image file.

Exadra37

Exadra37

While I don’t know of any lib to do virus scanning I want to call your attention to the fact that if your restrictions to the file type are based on the extension, then they can be bypassed. Instead, a better approach is to perform this check based on the mime type of the file, but not based on the one passed in the request headers, you need to do it yourself on your application.

Another thing to have in mind is that, before processing it in your application, you may want to copy the uploaded file to a temporary path with a random name. If you expose the uploaded file to the public, then you should use a different name from the one given by the client.

More best pratices can be found at File Upload - OWASP Cheat Sheet Series.

Zurga

Zurga

I do not know of any Elixir library that will do virus scanning, but using the System.cmd function you can call an external virus scanner to scan the uploaded file.

Where Next?

Popular in Questions Top

marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
gshaw
What is the idiomatic way of matching for not nil in Elixir? E.g., First way: defp halt_if_not_signed_in(conn, signed_in_account) when...
New
JorisKok
I have a server on AWS, and was running a load test using artillery. When looking at the Phoenix dashboard I see the Ports going to 100% ...
New
beno
I will often find my self writing things similar to: case some_value do nil -> something() "" -> something() _ -> someth...
New
vrod
I am using the Starship cross-shell prompt – it seems pretty nice, but I get some errors: [WARN] - (starship::utils): Executing command ...
New
hariharasudhan94
lets say i have a sample like a = 20; b = 10; if (a > b) do {:ok, "a"} end if (a < b) do {:ok, b} end if (a == b) do {:ok, "eq...
New
ycv005
I have followed this StackOverflow post to install the specific version of Erlang. And When I am running mix ecto.setup then getting fol...
New
jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New
joaquinalcerro
Hi there, I am working with Ecto-Postgresql and I need to call all of the records from a specific table but the table has 40,000 record...
New

Other popular topics Top

sen
Hi All, I set a environment variables in dev.exs , like below code. when i start server, how can i set the ${enable} value? thanks. d...
New
TunkShif
This post is an instruction guide to help you setup your Neovim for Elixir development from scratch. It includes general information on h...
274 41454 115
New
chrismccord
Phoenix 1.4.0 released Phoenix 1.4 is out! This release ships with exciting new features, most notably with HTTP2 support, improved deve...
688 30840 112
New
albydarned
Hello all! I am typing this post from my new MacBook Pro with the M1 chip. I’m loving it so far, and will probably use it as my daily dr...
New
lessless
I believe there are people here who are dealing with CSV files import on the daily basis, and since Excel is a really popular tool there ...
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod -- where is this set? Thanks.
New
stefanluptak
Hello everybody, usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
bsollish-terakeet
Credo is smart enough to check for (something like) this: assert length(the_list) == 0 with this response: Checking if an enum is empt...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New
openscript
Hello! Sorry for this astonishing simple question, but I’m really stuck. I try to set up the intellij-elixir plugin, but I don’t know ho...
New

We're in Beta

About us Mission Statement