ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard
verified publisher icon OWASP

proposal/discussion: validation rules for files inside archive if the application unpack it or has business logic limit for other files

Open elarlang opened this issue 2 years ago • 2 comments

If an application allows users to upload archive files (such as zip) and then unpack files from zip to the application, then application should validate each file separately inside the archive according to file validation rules.

Or in more general - if an application allows to upload files including archives, then if business logic rules exists for uploaded files, those should also apply to the files inside the archive.

... but an application may just allow users to upload zip files by business logic rules and other users to download them.

So - do we need requirement for that?

elarlang avatar Oct 23 '23 17:10 elarlang

Maybe it is solvable via https://github.com/OWASP/ASVS/issues/1604

elarlang avatar Oct 23 '23 19:10 elarlang

You know what I am going to say.... 🙃

tghosth avatar Oct 31 '23 16:10 tghosth

I totally agree that each file inside a zip needs to also go through a file validation/malware scanning/etc process like any other uploaded individual file.

jmanico avatar Nov 04 '24 15:11 jmanico

So how about this addition

12.1.5 [ADDED] Verify that if an application allows users to upload archive files (e.g., zip files), the application must individually validate each file within the archive according to established file validation rules. 23

jmanico avatar Nov 04 '24 15:11 jmanico

Another option is to modify 12.2.1, suggested by @tghosth

12.2.1 [MODIFIED] Verify that when the application accepts a file, it checks if the file extension matches an expected file extension and validates that the contents correspond to the type represented by the extension. This includes, but is not limited to, checking the initial 'magic bytes', performing image re-writing, and using specialized libraries for file content validation. This validation should apply to uploaded files and also to uploaded contents of an archive file, such as a zip. 434

jmanico avatar Nov 05 '24 10:11 jmanico

12.2.1 [MODIFIED] Verify that when the application accepts a file, either on its own or within an archive such as a zip file, it checks if the file extension matches an expected file extension and validates that the contents correspond to the type represented by the extension. This includes, but is not limited to, checking the initial 'magic bytes', performing image re-writing, and using specialized libraries for file content validation. 434

tghosth avatar Nov 05 '24 10:11 tghosth

Closing this out from PR https://github.com/OWASP/ASVS/pull/2221

jmanico avatar Nov 05 '24 10:11 jmanico

I think this is a good compromise which hits the original goal of the issue without getting too prescriptive or complicated

tghosth avatar Nov 05 '24 10:11 tghosth