Security/Malware implications of storing data in a BLOB as opposed to the file system

Question

From a programming perspective, there has long been a debate over whether to store files in a BLOB or Binary field in a database, or on the file system. The debate always seems to center around performance.

I've always wondered about the risk of infected files being saved in the database. Suppose I allow internal users to upload documents that are available on our company's website to our external customers. I would really hate to have our website serving infected PDF documents to our customers, for example.

Aside from incorporating policies that require our content editors to scan files before uploading them, is there any sort of protection that can be implemented to detect infected documents? I can't imagine that anti-virus can scan within BLOB fields (but I could be wrong on that).

It just seems more risky to me. If we have them upload to the file system, as can at least have anti-virus scanning the upload location.

Is this a valid concern? And if so, what tools or approaches are recommended for dealing with this potential threat?

Answer 1

This has been answered before on this site, in extensive detail. See these questions:

• What are the security risks of letting the users upload content to my site?
• Is it necessary to scan users' file uploads by antivirus?
• Antivirus for scanning anonymous file uploads
• What steps should be taken to validate user uploaded images within an application?
• What are security risks of serving user uploaded files without Content-Disposition?
• Why should I restrict the content type of files be uploaded to my site?
• Is it safe to store and replay user-provided mime types?
• Is it safe to serve any user uploaded file under only white-listed MIME content types?

The answer to your question about databases and the format of the file is: it doesn't matter how you store the file. The risks are the same whether the uploaded file is stored as a BLOB, as a binary field, on the file system, or in some other way. That's just an implementation detail.

What's important is what kind of validation you do, and how you address the threats. Any of the standard mitigations can be made to work, no matter how you decide to store the uploaded file -- the important thing is that you understand the risks and select mitigations appropriate that are appropriate for your application.

For general advice relating to web security, OWASP is always a good resource.

Answer 2

Storing a file in a database or storing it as a file both be done in a secure or insecure way. There are also databases that are designed to store files, such as Amazon S3 and Google Blobstore. Even though it is stored as a BLOB datatype, the database is storing everything in a file on the file system.

There are always security concerns, and there is very little difference between these approaches. Its more about building an application that accounts for threats.

Answer 3

Depends on the database platform. With Oracle you can mount the 'database' as a file system (at least in Linux). As such you've got a few more options for storing/scanning the files.

http://docs.oracle.com/cd/E14072_01/appdev.112/e10645/adlob_fs.htm

Basically a database and a file system are both just data storage mechanisms.