TL:DR? Word Documents are packages, is it dangerous to upload them to the server then?
I'm developing an application in Angular 4, and Node JS, that at some point allow users to upload files, that should be only images, pdf's and Word documents.
Front end validation goes well, until node rejects a Google Docs file exported as .docx and says the file is actually a zip (application/zip).
Okay, perfectly normal, but native Word documents, have a different MIME type, so:
Should I enable the upload of zip files?
Considering that I could successfully use a docx as a zip, add a script and go back to use it as a docx file, should I have any security worries?
Is it possible to include malicious software inside a docx file and somehow use/run it on the server side?
Am I worrying about nothing?
There is no danger in a Word file on your server UNLESS you open it with Word or some other tool that processes it and essentially "runs it". Then, that provides a vector for macro malware that could be run when the file was opened in some program that might runs those macros.
Just storing it and enabling others to download it does not put your server at risk in any way. A plain file that you just store or send to others upon request is just a bucket of bits that doesn't "run" any code.
If you are providing a storage and retrieving mechanism, you may want to prevent yourself from becoming a distribution mechanism for malware by using some sort of scanner on all files that are uploaded to you such that you can filter out files that might harm someone else who downloads them and does attempt to open/run them.
Related
Suppose I had a console app in the terminal I created using C language, shouting "Hello world!"
The program is called hello.exe.
I upload hello.exe to static server.
Now I can download the file by typing the following address in the chrome.
http://localhost:8080/hello.exe
Or I can get a Blob object using the http method in Nodejs.
Is there a way to run this obtained Blob object right away without making a file? And get string Hello world!
No similar topics were found.
Do I need to create and run the file and erase it right away?
I want is for the files to run and not remain on my PC.
I'm not aware of any way to run an .exe file without first putting it on disk. You would essentially need to write your own exe loader that worked from memory instead of disk and that would be no small effort.
Keep in mind that a client that just automatically runs some executable it gets from a URL like http://somedomain.com/hello.exe without any user intervention could be a very dangerous client as rogue web servers could send it any arbitrary executable that did all sorts of harm (viruses, ransom-ware, etc...).
Do I need to create and run the file and erase it right away?
Yes, erase it after the program is done running.
I want is for the files to run and not remain on my PC.
You will just have to clean it up at some point after it has run. If you have a programmatic client, it should be no big deal to put the file in an application-level temporary directory that your app can regular clean up. If this is from a browser, then he user controls where the file goes on disk and the user controls when it gets deleted - you can't manage that yourself from within a webpage.
Or I can get a Blob object using the http method in Nodejs.
You can download a binary. Not sure exactly what you're asking here.
Ok, I have never seen anything like this before and hoping someone else has. I just finished patching our Dev and Test servers to Nov2017CU (SharePoint 2013). Since then, any solutions that are using JS injection from Site Assets are not updating. I'll make a change to the file, the library reflects that I made the change, but when I attempt to load the page accessing the js file, the changes are not reflected. Hard refreshes and full cache cleans are not affecting it. If I close and reopen my editor (VSCode) my changes are gone. When I look at the version history, the current version doesn't have my changes, but the previous version does. If I try to revert to that version, it doesn't take (still shows the previous version of the file).
Here's where it becomes extra weird. I have deleted the entire file from the library. Reset IIS (heck, I even rebooted the server at one time). It somehow still loads the file. The file is no longer in the library, but the server is still serving it up to the browser. I have confirmed it is not getting it from another location as the Dev tools are showing the file is located in the Asset Library the file was deleted from. Even users who have never accessed the site before are still getting that file in their browser.
This isn't limited to a single site either. I have other developers in different sub sites (same site collection) that are having the same issues.
Anyone seen this before?
Looks like your web application has BLOB cache enabled which is causing files to served from the cache.
There are 2 ways to fix:
1) The heavy handed way would be to flush the BLOB cache using powershell commands mentioned:
$webApp = Get-SPWebApplication "<WebApplicationURL>"
[Microsoft.SharePoint.Publishing.PublishingCache]::FlushBlobCache($webApp)
This will flush all the files in the BLOB. Usually, the files are cached based on the max-age attribute value. So, that is the reason that your files are being served even if you had deleted it from the source.
2) The surgical knife approach would be to append a query string, like (https://sitecollurl/siteassets/app.js?v=1.1), to the file references (usually in master page, page layouts, webpart references, script links etc. wherever it is referenced). When you append a query string to the file, it will force the browser to download the newer version of the file. Would prefer this approach as it will not unnecessarily clear other files from BLOB.
We are working on a website to allow animated GIF upload. To ensure the image is indeed an image and without malware/virus/backdoor/trojan or anything other than image data itself, we try to recreate the original image.
However, the process itself will take sometime when there are lots of frames inside. Is there any other way to ensure an uploaded animated GIF file is free from the issues mentioned above?
You can never 100% guarantee that a file does not contain malware - even with your approach there is the chance that the gif contains some code that could be malicious simply by opening the image in a vulnerable viewer.
That said, the chances are low and you can expect these sort of bugs to be patched fairly quickly in most modern operating systems.
There are various checks you can do on uploaded files though that take less processing time:
Check the file name extension is what you expect - ignore the content-type at upload stage though as this can be spoofed.
Virus scan all uploaded files with a virus scanner with up to date definitions.
Do not store the files in a location where they can be executed - e.g. do not store in the web root (www.example.com/uploads/image.aspx).
Serve the files via a program or script that reads them from storage as data and then streams the output to the browser.
When serving the files, ensure the correct content-type, and if possible, filename extension is set correctly. Use Content-Disposition to set the name the browser will use:
Content-Disposition: attachment; filename="fname.ext"
I'm working in a end-user app that will create documents that could have several files inside it.
The main resource is a sqlite database. The user can store several media files that are referenced form that database.
My first impulse is use OSX Bundles, but that will show that are folders on windows.
Or put all the data inside the sqlite database, but will have issues when try to open large files.
Or maybe inside a zip file but need to compress/decompress.
Or maybe exist a magic trick to show a folder as a file under window...
Exist a working VFS (virtual file system) for iOS?
I'd go for a well-known archiving format such as zip or tar, because I'm sure there are pre-made libraries for those that you can use. By the way, the ZIP format allows you to store files without compression as well.
Yes, you can use our SolFS Application Edition, this is exactly what you are looking for and it's available for iOS as well as all other major platforms.
ZIP has the problem of ineffective modification - it's slow and resource-consuming.
I have a need to convert any document gets uploaded to Image.
I downloaded the exe (with all the dlls) on my local machine (dont have to install)
export.exe sourcefile.doc destinationfile.gif >> this syntax works from my local dos prompt.
How do I use the same syntax "export.exe exampledoc.doc exampledoc.gif" when an item is added to sharepoint doc library.
and Do I need to put the folder (where the exe and dlls are for this) in the sharepoint frontend server so it's accessible? If yes, where should this folder reside? Does the folder and files need sharepoint service account access?
I am totally new and I would really like if someone can shed some light on this (step by step if possible)?
Thanks
Justin...
In order to do this from a SharePoint event handler, each WFE on the farm would need to have your conversion application available, your event handler code would need to place the uploaded file in a temporary location on disc, invoke the conversion application (look at the .NET Process class for this), cancel the addition of the original, unconverted document, and add the output of your processed file to the library (ensure you use the DisableEventFiring() method of the event handler as to not have the event handler trigger itself during the addition of the new file), and then clean up after itself.
Having said that, this operation seems like something that you really wouldn't want to tax a web server getting any real traffic with doing in real time. You may want to look into batching the jobs to be done daily during traffic lulls by another system, or one dedicated resource on the farm.