Question about security

[escaroda]

Great package! But I have one question:

How secure this package?

We declare this fileResctrictions:

Slingshot.fileRestrictions("myFileUploads", {
  allowedFileTypes: ["image/png", "image/jpeg", "image/gif"],
  maxSize: 10 * 1024 * 1024 // 10 MB (use null for unlimited).
});

Is it possible for a user to upload some garbage that wouldn't be an image?
Because I'm using returned link and assign it to user avatar field. I'm scared that somebody will make "broken image" just for fun. Is it possible? Or amazon somehow will restrict anything that is not image (even if it has image extension)? Thanks!

[gsuess]

AWS will not verify the sanity of the file contents and whether it matches the content-type. However it will ensure that the content-type sent in the header is one of the given mime-types.

So if the client uploads something that is not an image with a spoofed content-type, then the browser will see it as a broken image. Normally this is not a security issue unless there is a bug in the client browser that allows some sort of buffer overflow exploit or something.

Technically that would be security issue, not with your app or this package, but with the browser.

However if you really would like to protect users from these kind of exploits, I suggest that you do some sort of image validation on AWS Lambda.