File upload virus scanning

Added by Matt Page about 1 year ago

Hello

I am using Modsecurity to scan uploaded files for a bunch of websites.

Modsecurity expects a Content-Type of multipart/form-data and Content-Disposition with a filename parameter in order to detect uploaded files, and hand them off to a script for scanning.

Redmine seems to use a custom method of handling file uploads, where the Content-Type is application/octet and the filename is passed via a URL query.

I want to change Redmine so that files are uploaded using a multipart/form-data. My initial thoughts are that this will require changes to both the frontend and backend code.

Does anyone have any suggestions to modify the behavior with minimal code changes (I'd rather not deviate from the Redmine source)?

Thanks

Replies (8)

RE: File upload virus scanning - Added by Liane Hampe about 1 year ago

Hi Matt,

I don't know how to use Modsecurity. But as far as I understand from https://www.feistyduck.com/library/modsecurity-handbook-2ed-free/online/ch03-configuration.html, it means that the files needs to be posted via multipart/form-data request, right?

This is true for all rails forms having the option 'multipart: true' set or using form_with in combination with the model name. You can read it here: https://guides.rubyonrails.org/form_helpers.html#uploading-files.

Therefore, I would expect that it will work with Modsecurity and Redmine. Or did you already give it a try without success?

Best Regards,
Liane

RE: File upload virus scanning - Added by Matt Page about 1 year ago

Hi Liane

Thanks for looking into this. I think the problem is that the file upload is done before the form is submitted, this is the case for both adding a file via the 'Files' menu and also when adding a file to an issue.

I click browse, then select a file at which point the file is posted to the server (this is before the form itself is submitted). Here the request is made with a content type of octet-stream, so it's not possible for modsecurity to intercept.

This being the case, it looks like I'll need to rewrite the frontend and backend logic for these types of asynchronous file uploads in order to get the files into the request body as a multipart/form-data request, unless there's a way to modify the behaviour that you know of?

Again, thanks for your time. Your help is much appreciated.

Thanks

Matt

RE: File upload virus scanning - Added by Matt Page about 1 year ago

Attaching the POST request headers for information.

headers.txt Magnifier (536 Bytes)

RE: File upload virus scanning - Added by Matt Page about 1 year ago

I couldn't see any easy way to change the file upload behaviour, so I've opted instead to extend the model with an additional validator that passes the file data off for virus scanning which is working nicely.

Thanks

RE: File upload virus scanning - Added by Liane Hampe about 1 year ago

Hi Matt

Sounds great!

Could you please explain it in more detail how the intersection between Modesecurity and Redmine is done? How do you pass the file data off to Modsecurity?

I guess this is a very useful feature for other Redmine users as well. And I would also much appreciate to get some more knowledge about increasing Redmine security. :)

Thanks

Liane

RE: File upload virus scanning - Added by Matt Page about 1 year ago

Hi Liane

I keep getting an 'internal server error' when I try to reply to this post with an explanation. Maybe my reply is too long!

Thanks

Matt

attachment-patch.txt Magnifier (710 Bytes)

RE: File upload virus scanning - Added by Liane Hampe about 1 year ago

Hi Matt

No Problem! Your short version is already very helpful.

Thank you very much for sharing this.

Liane

PS Concerning the 'internal server error' I will try it out with a hugh text string in the current Redmine version. Maybe it's worth for a ticket.

RE: File upload virus scanning - Added by Matt Page about 1 year ago

Great, just to confirm that I couldn't use Modsecurity in this case as uploads are not made via multipart/form-data. So instead, I'm intercepting the uploads at an application level via the attachment model and passing them straight to the AV.

Thanks

Matt

(1-8/8)