In this tip, I want to discuss about how to tackle insecure file upload scenarios. It's a common business case in most of the applications that need to upload to file(s) to server or database.
Type of file uploading scenarios:
- Static file(s) directly uploaded to server (on-premise or cloud)
- Static file converts to Base 64 String and Upload to Database
In both of these scenarios, if on-premise/cloud server or database not scanning malicious files, then those are entered into the server.
Scenarios like our personal PC or office PC antivirus system not detecting real-time, these malicious files can spread when uploading those to the server.
What are the good hygiene practices for our PC?
- Using up to date antivirus system
- Or if you don't have third-party AV software, you can use Windows Defender software
If still, our PC doesn’t have 3rd party AV software or WD software or current antivirus is not detecting properly. then when we try to upload a file, if it contains malicious content, then the same disaster can happen.
So at this moment, we have to think about workflows to avoid such disasters.
Scan file(s) options for the virus before uploading to the server that can integrate to inside the application.
- Using ClamAV Antivirus software solution (free and open source software)
- Before uploading to server exact path, upload to a temporary location in the server
- Using CLI wrappers for virus scan
Okay, now we focus on to how to implement each solution.
Clam AV
ClamAV Trademark
This sample Github project will show how to use ClamAv in ASP.NET MVC solution.
ASP.NET MVC Sample Application
TempLocation in Server
Normally, servers have antivirus software installed, so before uploading to the exact physical location, if uploading to a temporary location, then server antivirus software can do a real-time scan. after the scan, if it's not a malicious file, then those files can move to the exact location.
CLI Wrappers
This sample GitHub project shows how to use CLI wrappers to integrate for the solutions using various antivirus software.
Windows Defender
Usage example for Windows defender:
Sample Project With Windows Defender
CMD showing result of Windows Defender Scan result
class Program
{
static void Main(string[] args)
{
Console.WriteLine("Press enter to scan");
Console.ReadLine();
var sw = Stopwatch.StartNew();var exeLocation =
@"C:\Program Files\WindowsDefender\MpCmdRun.exe";
var fileToScan = @"D:\ML\wildfire.exe";
var scanner = new WindowsDefenderScanner(exeLocation);
var result = scanner.Scan(fileToScan, 10000);
sw.Stop();
Console.WriteLine(result);
Console.WriteLine($"Completed scan in {sw.ElapsedMilliseconds}ms");
Console.WriteLine("Press any key to exit.");
Console.ReadKey();
}
}
Likewise, other antivirus software can use like the following:
Avast
Usage example for Avast (ashcmd is shipped in paid versions only):
var exeLocation = @"C:\Program Files\AVAST Software\Avast\ashcmd.exe";
var scanner = new AvastScanner(exeLocation);
var result = scanner.Scan(@"C:\virus.txt");
Console.WriteLine(result);
AVG
Usage example for AVG (avgscanx.exe is x86, avgscana.exe is x64):
var exeLocation = @"C:\Program Files (x86)\AVG\Av\avgscanx.exe";
var scanner = new AVGScanner(exeLocation);
var result = scanner.Scan(@"C:\virus.txt");
Console.WriteLine(result);
Eset
Usage example for ESET:
var exeLocation = @"C:\Program Files\ESET\ESET Endpoint Antivirus\ecls.exe";
var scanner = new EsetScanner(exeLocation);
var result = scanner.Scan(@"C:\virus.txt");
Console.WriteLine(result);
If your antivirus software is not listed above, you can approach them via their forum or helpline.
Windows Defenders comes as default installed software in Windows Servers, So if you're using Windows, server can use windows defender approach for the scan process.
If there is anything I have missed in this article, please share it with me on the comment section, I will discuss more of that. Looking forward to your feedback. :)
History
- 20th April, 2020: Initial version
Submit an article or tip
