I’ve had my site pen tested, and one topic that came up was that I am not restricting the content type of files that are uploaded to my AWS S3 bucket… so a malicious executable could be uploaded which has an file extension of .jpg for example.
Does Wappler provide a way to restrict upload of specific file content type (so the actual content rather than just the extension)?
You need to apply a Policy to your S3 Bucket Antony. A quick search of Google/Stack Overflow should find what you need.
You may also wish to check out the AWS Malware Scanner too!
And finally check out this Marcus Hutchins video for an interesting insight to a file type restriction bypass technique:
I believe Content-Type can be spoofed and cannot be trusted.
It’s my opinion restricting Content-Type doesn’t lead to significant security improvements, I wouldn’t worry about it.
“mime_content_type” and “exif_imagetype” should be used for identification purposes only, not for security purposes!
The above functions should not be used for security purposes because both of them allow spoofed files!
Source:
GREAT MINDS! This is what Marcus covers in the above video @Apple