|
|
|
|
|
|
by Lab3301
2716 days ago
|
|
|
A big problem with security is that you don't know what you don't know. Want to allow users to upload image? * Make sure submitted files are actually images
* Limit file size to prevent denial of service
* Normalize the filename to prevent directory traversal
* Add a randomized component to filenames to prevent users from overwriting each other's files
* Serve file with the proper content type
* HTML encode filename for display Then, oops, you didn't know SVGs allowed JavaScript, so now you have stored XSS. I don't think that's negligence, it's just not something you'd necessarily know until you saw it. And this doesn't even consider language quirks and gotchas that are even more esoteric. |
|
|
Right, but presumably you're using the standard techniques to mitigate XSS, e.g. sanitizing all other text input, using an X-XSS-Protection header, using a CSP that only allows scripts that have been whitelisted, etc.
Even if you don't know that an SVG can contain js, that shouldn't put your users at risk if you're doing everything else correctly. And then when that gets caught in an audit or reported by a user or as part of a bug bounty, you can fix it. (Although if you're going to be serving up a certain UCG file type to users, I don't think it's unreasonable to expect people to Google for vulnerabilities associated with that file type.)
Developers shouldn't be expected to have perfect security knowledge or to never make mistakes, but I think it is reasonable to expect them to not be grossly negligent. I don't want to live in a world where only people wealthy enough to afford full security audits before they get any traction should be allowed to launch products, but I also think developers should be held accountable if they're recklessly endangering people.