Request for Enhanced File Upload Security

[danieldavidovskiy]

Dear GlobalLeaks Team,

I hope this message finds you well. We are writing to you from the City Administration of Neustadt an der Weinstraße in Germany. We have been utilizing your platform to facilitate secure whistleblowing and confidential reporting within our organization and to the public. We greatly appreciate the service you provide.

We are reaching out to discuss a pressing matter regarding the security of file uploads on the platform. While we currently employ an antivirus program to mitigate potential risks, it has come to our attention that this approach is not foolproof in preventing the upload of malicious code or harmful files. Given the sensitivity of the information we handle and the potential consequences of security breaches, we are exploring additional security measures to safeguard the integrity of the uploaded data.

We would like to request the possibility of implementing enhanced file upload security mechanisms that would allow us to restrict the types of files that can be uploaded to our platform. This would greatly enhance our ability to prevent the inadvertent upload of harmful content. We understand that this may require custom development and integration into the existing platform, and we are prepared to offer compensation for these enhancements.

The security and confidentiality of the information shared on our platform are of paramount importance to us. We believe that by working together to strengthen the upload security features, we can provide a safer environment for whistleblowers to come forward and share vital information without the risk of uploading potentially malicious files.

We kindly ask for the opportunity to discuss this matter further with your technical team to explore the feasibility of implementing these security enhancements. If you require any additional information from our end, please do not hesitate to ask.

We look forward to your response and hope to collaborate with you to ensure a more secure and reliable platform for whistleblowing and confidential reporting.

Thank you for your attention and consideration.

Sincerely,

Daniel Davidovskiy
City Administration of Neustadt an der Weinstraße
[email protected]

[evilaliv3]

Dear Daniel,

thank you for your email and question.

Please feel free to use this space to comment on this topic or other topis as you prefer as this is the space where the community meet, create synergies and improves the software.

The topic you are talking has no easy solution and if you search on this ticketing system you may find some tickets dealing with it.

Limiting the extension of the file would actually limit only whistleblowers that in good faith will upload malicious files that are part of an evidence.
On the opposite instead it wont limit an attacker that may for example share to you an archive file of type zip and bypass the block easily.

[danieldavidovskiy]

We would also like to ban archive files

[evilaliv3]

I see. In this case the solution may work.

I know that @elbill and @msmannan00 are working on a the same concept and are probably preparing a patch that serverside will look into the file extention to limit the type of files that could be loaded.

As we process files in ram, we may as well consider to do a check on the first 2048 bytes of the file by using the magic.Magic library:

mime = magic.Magic(mime=True)
type = mime.from_buffer(f.read(2048))

[maelaborazioni]

That would be a great feature!