Hardening file uploads with MIME checks and storage isolation

6912 views

                  allowed_types = ['image/png', 'image/jpeg', 'application/pdf']
uploaded = params.require(:document)

raise ActionController::BadRequest, 'file too large' if uploaded.size > 10.megabytes
raise ActionController::BadRequest, 'type not allowed' unless allowed_types.include?(uploaded.content_type)

filename = "#{SecureRandom.uuid}#{File.extname(uploaded.original_filename).downcase}"
storage_path = Rails.root.join('storage', 'uploads', filename)
File.binwrite(storage_path, uploaded.read)

File uploads are attacker-controlled input with extra surface area. I validate extension and MIME type, rename everything server side, scan risky formats, and keep user uploads out of executable paths. If the business allows arbitrary uploads, storage isolation becomes non-negotiable.

Kai Nakamura

More from Kai Nakamura

Hardening file uploads with MIME checks and storage isolation

0 Comments

More from Kai Nakamura