Blacklisting accepted file extensions: how careful do I need to be

Question

Currently working on a web application which allows users to upload files onto one of our Windows servers. The application is built in ASP.NET MVC with a MySQL backend. The uploaded files are not stored on the web server, and so are inaccessible through the application.

Good practice for file uploads is to limit the extensions to relevant file types, but that's not going to wash here. If I'm to restrict uploads by extension, it has to be via a blacklist.

Searching suggests there are something like 50-odd file extensions I ought to be suspicious of, and block. On top of that, there's the potential for dangerous code to be hidden in other files like pdf.

However, the purpose of the application is to parse uploaded text files. Once files are up on the server, they're fed into a file stream and the contents combed through for data standardization. That's all it does.

Given that what we do with the files seems safe enough - we're not executing them or anything - do I really need to maintain an ever-expanding 50-string block list? Or are there some file types (i.e. .exe) that I can pick out as particularly dangerous without compromising security.

Answer 1

A file extension is just part of the name and by itself says nothing about the content of the file. It is only used by the OS and applications to decide what to do with the file. Thus if you have no component in your system which uses the extension for deciding what to do with the file than the extension does not matter at all and you will neither need a white list nor a black list.

But since you will process the files no matter which extension they have what really matters is the content of the file. Thus make sure that your text processing itself can deal with unexpected content in a secure way. That means it should not make any kind of assumptions about the adherence of the input data to some standard but should always assume that someone is feeding you slightly corrupted input data to exploit bugs in your application, like currently done with images.