4

I need to write an application that will interact with files uploaded from untrusted sources (users). Specs say I must support CSV and Excel. If I allow a user to upload an Excel file to the server and handle opening, processing and saving the file server-side, what kind of security concerns am I opening myself up to? What kind of mitigations can I bring to bear on the problem or is this fundamentally unadvisable? (For these questions, assume that web server role is running under a least privilege account.)

Edit Clarification:

In particular, I am concerned about the excel file... do I have to worry about macro execution, or viruses, or it not being an excel file? I would be opening this from a C# written back-end... what risk is there attempting to read this through an excel interpreter?

cocogorilla
  • 149
  • 3
  • 1
    Since asking for product recommendation (e.g. open source libraries) is off topic here, I removed the last part of your question. If you disagree, feel free to rollback the edit. – Anders Jun 20 '16 at 22:40
  • 1
    Take a look at https://en.wikipedia.org/wiki/Confused_deputy_problem - you want to ensure that when opening and processing the files on the server side, it is done in a sandbox with well defined I/O permissions. – HTLee Jun 21 '16 at 02:27

2 Answers2

3

I can think of following scenarios:

  • Since you are processing your data and then carrying out a DB call, you should ensure that you used prepared statements in your webserver. That will take care of all your SQL Injection attacks
  • If you are presenting the data on your webpage, then ensure you are sanitizing your input to prevent a Stored XSS attack.
  • An attacker can change the order of the cells in CSV file inorder to crash the server. You should make your code independent of the cell ordering in CSV file (it is very easy to implement). It is also a good to have feature

In your case, you should be worried about secure coding of your application and handling different edge cases in the structure and contents of the file.
IMHO All the applicable attack vectors here will be related to the data present in the files.

Limit
  • 3,191
  • 1
  • 16
  • 35
0

Proper input validation.
I have seen many times that the applications handle special characters in the input fields very well except present in the data in the uploaded excel file. Make sure any error message that you show for invalid data in excel file should be a generic message and should not include unencoded cell value. Otherwise your app will be vulnerable to XSS.

one
  • 1,781
  • 3
  • 18
  • 45