iv1t3 / django-middleware-fileuploadvalidation Goto Github PK

Instead of having one large validation/basic.py:guess_mime_type_and_maliciousness(), it would be useful to aggregate the guessing_scores in each individual function in which the required information has been collected.

https://github.com/uploadcare/pillow-simd

Hi
I ran into the following problem
django.core.exceptions.ImproperlyConfigured: WSGI application 'main.wsgi.application' could not be loaded; Error importing module.
Can anyone help me?

my settings:
WSGI_APPLICATION = 'main.wsgi.application'

Besides PHP code (#17), the keyword-search-based analysis that is (to be) performed in a first step should also look for other possibly nasty stuff, such as Shebangs at the beginning of a file.

All processing that is potentially dangerous, such as parsing files or re-rendering images, should be performed in an isolated sandbox.

https://github.com/pikepdf/pikepdf

I get a crash when using ASGI. This line fails to convert since ASGIRequest.environ does not exist.

The python mimetype module only includes 130 types. Implement own mimetypes module with more types.

Core features:

• get_all_mime_type() - return all available types
• get_extension(mime_type) - return extension of given MIME
• get_type(extension) - return MIME type of given extension

https://opensource.googleblog.com/2024/02/magika-ai-powered-fast-and-efficient-file-type-identification.html?m=1

Look into response to detect possible exploits that have been executed and prevent information leakage.

Currently, upload restrictions can only be applied application-wide. The middleware should be able to differentiate between multiple upload forms and their designated usage to allow a variety of upload forms with different upload restrictions.

Django decorators could provide a suitable solution, since they could be used to notify the middleware which restrictions to apply. If no decorator was supplied, a default restriction set should be applied as a fallback option.

In order to better structure the reporter ouput, cluster all yara matches (from quicksand and custom) into a single dict in file.detection_results.yara_matches. Store other quicksand data in file.detection_results.quicksand.

For example, webapp may decompress file and place the contents somewhere in a webroot …

Remove the parsing of file names with just period slicing. Improved method still has to be discussed.

I would suggest to completely remove the EXIF analysis as it currently only performs a keyword search. This keyword search should be realized in a preceding step before applying any file-type specific validations (probably somewhat the direction of #17).

This will further allow to have individual restrictions for each upload view. However, this will probably require shifting much validation into process_view().

https://github.com/tiran/defusedxml

Description

Currently, each Django view requires custom configuration for file upload validation. This process involves modifying the settings.py file to set various parameters for each upload type, like file size limits, whitelists, and others. This approach, while functional, can become cumbersome for developers, especially when dealing with multiple views and file types.

To streamline this process, I propose the implementation of decorators that can be applied directly to Django views. Decorators would allow developers to easily configure file upload validations on a per-view basis without the need to alter the settings.py file for each case. This would lead to cleaner, more maintainable code and a more straightforward implementation process.

Here's an example of how such a decorator could be used:

from django_middleware_fileuploadvalidation.decorators import file_upload_config

@file_upload_config(file_size_limit=2000000, keep_original_filename=True, whitelist=["application/pdf"])
def upload_pdf_view(request):
    # View logic for uploading PDF files
    ...

@file_upload_config(whitelist_name="IMAGES_ALL")
def upload_image_view(request):
    # View logic for uploading images
    ...

In this example, the file_upload_config decorator is used to define upload constraints directly above the view functions. This would override the default configurations set in the settings.py file for these specific views.

The benefits of this approach include:

1. Improved clarity: Decorators make it explicit what configurations apply to which views.
2. Enhanced flexibility: Developers can easily customize file upload constraints for individual views.
3. Reduced boilerplate: Less need to repetitively define configurations in settings.py.

I believe this feature would greatly enhance the usability of the django-middleware-fileuploadvalidation project and I am eager to hear thoughts and suggestions from the community on this proposal.

Currently, the web dev has to add all upload configurations to settings.py even if equal to default configuration. Implement functionality to find all missing configurations and fill with default.

https://github.com/tylabs/quicksand

Summary

Currently, our Django FileUploadValidation Middleware only returns HttpResponseBadRequest when it encounters a problem with a file upload. This behavior can be restrictive and may not suit all use cases in modern web applications. This issue proposes enhancements to make our response handling more flexible and adaptable to various needs.

Current Behavior

• The middleware processes file uploads in POST requests.
• If an issue is detected (e.g., file validation fails), the middleware returns HttpResponseBadRequest.
• There's no option to customize this behavior or handle different scenarios in more nuanced ways.

Proposed Improvements

• Configurable Response Types: Allow developers to configure the type of response the middleware should return in case of different types of upload errors. This could include options for different HTTP status codes or custom response messages.
• Detailed Error Information: Instead of a generic error response, the middleware could provide detailed error messages or codes. This information can help frontend applications to better inform users about the specific issue with their upload.