File security question

daves88 · July 20, 2023, 11:34pm

Hi Wapplers,

If I allow my users to upload files to their account, how secure are their files? I am worried that someone can do a scan of my website for all folder directories, then open a file directly using the file link. The files are stored in their own folder that they create in /public/uploads/theclientfolder/theclientfiles

I am worried that anyone can view and download files once they know the directory names.

I have read on previous threads that if I store the files not in /public then the directors won’t show up in a scan. Is that correct? If so, can I just change the file uploads directors in project settings or will that have adverse effects in my app?

I can’t use .htaccess Order allow,deny Deny from all as I am running NodeJS. Anyone know what the equivalent of this is? I need to disable directory listings of my site, but since I am using NodeJS this is proving difficult.

I would like to use S3 on digital ocean but I need the ability for the client to create an empty folder and download all files as a ZIP, which I don’t think can be done using S3.

Any tips on above would be greatly appreciated!

Thanks

brad · July 20, 2023, 11:53pm

You could include a blank index.html file in each folder. Of course this may be more difficult if the folders are dynamic.

jimed99 · July 20, 2023, 11:59pm

For DO Spaces you’ll learn how to use CORS. Here’s a short insight to what it is and does:

daves88 · July 21, 2023, 12:07am

thanks for your responses. Any quick fix without using S3? I just need to restrict directory listings of the folders, or prevent non-logged in users from accessing file links directly.

Apple · July 21, 2023, 1:14am

The correct way is you change the uploads directory to somewhere not the public folder, and you use Download File (or File Download, unsure) step to serve the file from a server action. This server action should have a check to only proceed if the user is authorized to download such file

daves88 · July 21, 2023, 1:26am

Thank you. If I change the uploads directors now, would it cause havoc with docker or my app? Or should it just update seamlessly?

Apple · July 21, 2023, 1:43am

I don’t think it’ll cause any troubles, and existing uploads should be “moved” automatically (technically they’re not moved, just mounted on the new directory location). This is because in the docker-compose file it lists a volume “user_storage” mapped to whatever directory you set in project settings. The files technically are in the volume “user_storage” which is managed by Docker, hence no “moving” is needed, and the folder is mounted at the new location.

Please make a backup of your server before trying

sitestreet · July 21, 2023, 11:16am

I put a .htaccess file into the folder where the uploads go containing this:

Order allow,deny
Deny from all

It means there’s no way to browse to the folder and see anything even if you know the filenames.

See this thread:

daves88 · July 22, 2023, 3:01am

Will this work if I am not running Apache? I’m on nodejs

sitestreet · July 22, 2023, 10:01am

Aah, no it won’t. I believe NodeJS lets you use a folder which is outside the public structure anyway so there wouldn’t be any need for extra security. But I’m still new to Node so am definitely not the person to advise!