iv1t3 / django-middleware-fileuploadvalidation Goto Github PK
View Code? Open in Web Editor NEWA Django middleware to validate user file uploads and detect malicious content.
License: Apache License 2.0
A Django middleware to validate user file uploads and detect malicious content.
License: Apache License 2.0
Instead of having one large validation/basic.py:guess_mime_type_and_maliciousness()
, it would be useful to aggregate the guessing_scores
in each individual function in which the required information has been collected.
Hi
I ran into the following problem
django.core.exceptions.ImproperlyConfigured: WSGI application 'main.wsgi.application' could not be loaded; Error importing module.
Can anyone help me?
my settings:
WSGI_APPLICATION = 'main.wsgi.application'
Besides PHP code (#17), the keyword-search-based analysis that is (to be) performed in a first step should also look for other possibly nasty stuff, such as Shebangs at the beginning of a file.
All processing that is potentially dangerous, such as parsing files or re-rendering images, should be performed in an isolated sandbox.
I get a crash when using ASGI. This line fails to convert since ASGIRequest.environ
does not exist.
The python mimetype
module only includes 130 types. Implement own mimetypes module with more types.
Core features:
Look into response to detect possible exploits that have been executed and prevent information leakage.
Currently, upload restrictions can only be applied application-wide. The middleware should be able to differentiate between multiple upload forms and their designated usage to allow a variety of upload forms with different upload restrictions.
Django decorators could provide a suitable solution, since they could be used to notify the middleware which restrictions to apply. If no decorator was supplied, a default restriction set should be applied as a fallback option.
In order to better structure the reporter ouput, cluster all yara matches (from quicksand and custom) into a single dict in file.detection_results.yara_matches. Store other quicksand data in file.detection_results.quicksand.
For example, webapp may decompress file and place the contents somewhere in a webroot โฆ
Remove the parsing of file names with just period slicing. Improved method still has to be discussed.
I would suggest to completely remove the EXIF analysis as it currently only performs a keyword search. This keyword search should be realized in a preceding step before applying any file-type specific validations (probably somewhat the direction of #17).
This will further allow to have individual restrictions for each upload view. However, this will probably require shifting much validation into process_view().
Currently, each Django view requires custom configuration for file upload validation. This process involves modifying the settings.py
file to set various parameters for each upload type, like file size limits, whitelists, and others. This approach, while functional, can become cumbersome for developers, especially when dealing with multiple views and file types.
To streamline this process, I propose the implementation of decorators that can be applied directly to Django views. Decorators would allow developers to easily configure file upload validations on a per-view basis without the need to alter the settings.py
file for each case. This would lead to cleaner, more maintainable code and a more straightforward implementation process.
Here's an example of how such a decorator could be used:
from django_middleware_fileuploadvalidation.decorators import file_upload_config
@file_upload_config(file_size_limit=2000000, keep_original_filename=True, whitelist=["application/pdf"])
def upload_pdf_view(request):
# View logic for uploading PDF files
...
@file_upload_config(whitelist_name="IMAGES_ALL")
def upload_image_view(request):
# View logic for uploading images
...
In this example, the file_upload_config
decorator is used to define upload constraints directly above the view functions. This would override the default configurations set in the settings.py
file for these specific views.
The benefits of this approach include:
settings.py
.I believe this feature would greatly enhance the usability of the django-middleware-fileuploadvalidation
project and I am eager to hear thoughts and suggestions from the community on this proposal.
Currently, the web dev has to add all upload configurations to settings.py even if equal to default configuration. Implement functionality to find all missing configurations and fill with default.
Currently, our Django FileUploadValidation Middleware only returns HttpResponseBadRequest when it encounters a problem with a file upload. This behavior can be restrictive and may not suit all use cases in modern web applications. This issue proposes enhancements to make our response handling more flexible and adaptable to various needs.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.