So I'm making a file uploader, and for that I need to be able to scan files for viruses and shit. To do so I have sophos which a bunch of parameters called by spawn like sojs const scanner = spawn("/opt/sophos-av/bin/savscan", ["-nc", "-nb", "-ss", "-remove", "-archive", "-suspicious", fullPath]);Where fullPath is the path to the upload directory + the file's uploaded name. And the uploaded name is [some random characters]_originalname.ext. (So 234753.jpg could end up getting called 5f6ae115f1b8_234753.jpg).Now I've tried many different weird filenames (combinations of special characters, I've even tried with just quotes, and I've also tried output from /dev/uranrom) to see what it would do. Yet all that really seems to happen is just what I want to happen when a scan is complete. No strange behaviour or anything (apart form the /dev/urandom output producing 404 when trying to access the uploaded file). So it kind of seems like what happens is the same as what happens when you used prepared statements in *SQL.. Now I have this nagging feeling that what I have at the moment isn't safe at all
Submitted August 01, 2018 at 08:37PM by inabahare
No comments:
Post a Comment